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Abstract. The control software of the CERN Compact Muon Solenoid exper- 
iment contains over 30,000 finite state machines. These state machines are or- 
ganised hierarchically: commands are sent down the hierarchy and state changes 
are sent upwards. The sheer size of the system makes it virtually impossible to 
fully understand the details of its behaviour at the macro level. This is fuelled by 
unclarities that already exist at the micro level. We have solved the latter problem 
by formally describing the finite state machines in the mCRL2 process algebra. 
The translation has been implemented using the ASF+SDF meta-environment, 
and its correctness was assessed by means of simulations and visualisations of 
individual finite state machines and through formal verification of subsystems of 
the control software. Based on the formalised semantics of the finite state ma- 
chines, we have developed dedicated tooling for checking properties that can be 
verified on finite state machines in isolation. 



1 Introduction 

The Large Hadron Collider (LHC) experiment at the European Organization for Nuclear 
Research (CERN) is built in a tunnel 27 kilometres in circumference and is designed to 
yield head-on collisions of two proton (ion) beams of 7 TeV each. The Compact Muon 
Solenoid (CMS) experiment is one of the four big experiments of the LHC. It is a gen- 
eral purpose detector to study the wide range of particles and phenomena produced in 
the high-energy collisions in the LHC. The CMS experiment is made up of 7 subdetec- 
tors, with each of them designed to stop, track or measure different particles emerging 
from the proton collisions. Early 2010, it achieved its first successful 7 TeV collision, 
breaking its previous world record, setting a new one. 

The control, configuration, readout and monitoring of hardware devices and the 
detector status, in particular various kinds of environment variables such as temperature, 
humidity, high voltage, and low voltage, are carried out by the Detector Control System 
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Fig. 1. Architecture of the real-time monitoring and control system of the CMS experiment, run- 
ning at the LHC. 



(DCS). The control software of the CMS detector is implemented with the Siemens 
commercial Supervision, Control And Data Acquisition (SCADA) package PVSS-II 
and the CERN Joint Controls Project (JCOP) framework [9]. The architecture of the 
control software for all four big LHC experiments is based on the SMI++ framework 
[5, 6]. Under the SMI++ framework, the real world is viewed as a collection of objects 
behaving as finite state machines (FSMs). These FSMs are described using the State 
Manager Language (SML). A characteristic of the used architecture is the regularity 
and relatively low complexity of the individual FSMs and device drivers that together 
constitute the control software; the main source of complexity is in the cooperation 
of these FSMs. Cooperation is strictly hierarchical, consisting of several layers; see 
Figure 1 for a schematic overview. The FSMs are organised in a tree structure where 
every node has one parent and zero or more children, except for the top node, which 
has no parent. Nodes communicate by sending commands to their children and state 
updates to their parents, so commands are refined and propagated down the hierarchy 
and status updates are sent upwards. Hardware devices are typically found only at the 
bottom-most layer. 

The FSM system in the CMS experiment contains over 30,000 nodes. On average, 
each FSM contains 5 logical states. Based on our early experiments with some subsys- 
tems, we believe that lO 30 - 000 states is a very conservative estimate of the size of the 
state space for the full control system. The sheer size of the system significantly con- 
tributes to its complexity. Complicating factors in understanding the behaviour of the 
system are the diversity in the development philosophies in subgroups responsible for 
controlling their own subdetectors, and the huge amount of parameters to be monitored. 
In view of this complexity, it is currently impossible to trace the root cause of problems 
when unexpected behaviours manifest themselves. A single badly designed FSM may 
be sufficient to lead to a livelock, resulting in non-responsive hardware devices, poten- 
tially ruining expensive and difficult experiments. Considering the scientific importance 
of these experiments, this justifies the use of rigorous methods for understanding and 
analysing the system. 

Our contributions are twofold. First, we have formalised SML by mapping its lan- 
guage constructs onto constructs in the process algebraic language mCRL2 [7]. Second, 
based on our understanding of the semantics of SML, we have identified properties that 
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can be verified for FSMs in isolation, and for which we have developed dedicated veri- 
fication tooling. 

Using the ASF+SDF meta-environment [12], we have developed a prototype trans- 
lation implementing our mapping of SML to mCRL2. This allowed us to quickly as- 
sess the correctness of the translation through simulation and visualisation of FSMs 
in isolation, and by means of formal verification of small subsystems of the control 
software, using the mCRL2 toolset. The feedback obtained by the verification and sim- 
ulation enabled us to further improve the transformation. The use of the ASF+SDF 
meta-environment allowed us to repeat this cycle in quick successions, and, at the same 
time, maintain a formal description of the translation. Although the ASF+SDF Meta 
Environment development was discontinued in 2010, we chose it over similar prod- 
ucts as ATL because we were already familiar with it and because its syntax-driven, 
functional approach results in very clear translation rules. 

Our dedicated verification tools allow the developers at CERN to quickly perform 
behavioural sanity checks on their design, and use the feedback of the tools to further 
improve on their designs in case of any problems. Results using these tools so far are 
favourable: with only a fraction of the total number of FSMs inspected so far, several 
problems have surfaced and have been fixed. 

Outline We give a cursory overview of the core of the SML language in Section 2. The 
mCRL2 semantics of this core are then explained in Section 3, and we briefly elaborate 
on the methodology we used for obtaining this semantics. Our dedicated verification 
tools for SML, together with some of the results obtained so far, are described in further 
detail in Section 4. We summarise our findings and suggestions in Section 5. 

2 The State Manager Language 

The finite state machines used in the CMS experiment are described in the State Man- 
ager Language (SML) [5,6]. We present the syntax and the suggested meaning of the 
core of the language using snapshots of a running example; we revisit this example in 
our formalisation in Section 3. Note that in reality, SML is larger than presented here, 
but the control system is made up largely of FSMs employing these core constructs 
only. 

Listing 1 shows part of the definition of a class in SML. Conceptually, this is the 
same kind of class known from object-oriented programming: the class is defined once, 
but can be instantiated many times. An instantiation is referred to as a Finite State 
Machine. A class consists of one or more state clauses; Listing 1 only shows the state 
clause for the OFF state. Intuitively, a state clause describes how the FSM should behave 
when it is in a particular state. Every state clause consists of a list of when clauses and 
a list of action clauses, either of which may be empty. 

A when clause has two parts: a guard which is a Boolean expression over the states 
of the children of the FSM and a referer which describes what should happen if the 
guard evaluates to true. The base form of a guard is P in_state S, where S is the 
name of a state (or a set of state names) and P is a child pattern. A child pattern consists 
of two parts: the first part is either ANY or ALL and the second part is the name of a class 
or the literal FwCHILDREN. The intended meaning is straightforward: 
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( $ALL$RPC_T in_state OK ) ) move_to ON 


action 


STANDBY 


do 


STANDBY $ALL$RPC_HV 


do 


ON $ALL$RPC_LV 


action 


OFF 


do 


OFF $ALL$FwCHILDREN 


action 


ON 


do 


ON $ALL$FwCHILDREN 



Listing 1: Part of the definition of the Chamber class in SML. 



$ALL$FwCHILDREN in_state ON 

means "all children are in the ON state", and: 

$ANY$RPC_HV in_state {RAMPINGJJP, RAMPING_DOWN} 

evaluates to true if "some child of class RPC_HV is either in state RAMPINGJJP or state 
RAMPING_DOWN". 

A referer is either of the form move_to S, indicating that the finite state machine 
changes its state to S, or of the form do A, indicating that the action with name A 
should be executed next. If the guards of more than one when clause evaluate to true, 
the topmost enabled referer is executed. Whenever the FSM moves to a new state, it 
executes the when clauses, starting from the top when clause, to see if it should stay in 
this state (all guards are false) or if it should go to another state (some guard is true). 
It is therefore possible that a single move_to referer or statement (see below) triggers a 
series of state changes. 

An action clause consists of a name and a list of statements. When an FSM receives 
a command while in a state S, it looks inside the state clause of state S for an action 
clause with the same name as the command and if such an action clause exists, it exe- 
cutes its statement list. If no such action exists, the command is ignored. For example, 
if the Chamber finite state machine from Listing 1 is in state OFF and it receives an ON 
command, it will execute the last action clause. 
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The most commonly used statement is do C P, which means that the command C 
is sent to all children which match the child pattern P. After a command is sent, the 
child is marked busy. When a child sends its new state back, this busy flag is removed. 
The do statement is non-blocking, i.e., it does not wait for the children to respond with 
their new state. The child pattern always starts with $ALL$ in this context. SML also 
provides if and movejto statements, as we illustrated in Listing 2. 



action: STANDBY 

do STANDBY $ALL$RPC_HV 
do ON $ALL$RPC_LV 

if ( $ALL$RPC_LV in_state ON ) then 
do ON $ALL$RPC_HV 
do ON $ALL$RPC_LV 

if ( $ALL$RPC_HV in_state ON ) then 

do ON $ALL$RPC_HV 

move_to ON 
end if 

else 

do STANDBY $ALL$RPC_LV 
do STANDBY $ALL$RPC_HV 
do STANDBY $ALL$FwCHILDREN 
endif 



Listing 2: An example of a more complex action clause. 

The move_to S statement immediately stops execution of the action clause and 
causes the FSM to move to the S state. The if G then SI else S2 endif statement 
blocks as long as there is a child, referred to in G, that has a busy flag. If the guard G 
evalutates to true, then SI is executed and otherwise S2 is executed. The else clause is 
optional. 

3 A Formal Semantics for SML 

We use the process algebra mCRL2 [7] to formalise the semantics of programs written 
in SML. The formal translation of SML into mCRL2 can be found in the appendices. 

Our choice for mCRL2 is motivated largely by the expressive power of the language, 
its rich data language rooted in the theory of Abstract Data Types, its available tool 
support, and our understanding of the advantages and disadvantages of mCRL2. Before 
we address the translation of SML to mCRL2, we briefly describe the mCRL2 language. 

3.1 A Brief Overview of mCRL2 

The mCRL2 language consists of two distinct parts: a data language for describing 
the data transformations and data types, and a process language for specifying system 
behaviours. For a comprehensive language tutorial, we refer to http : //mcrl2 . org. 
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The data language, which is rooted in the theory of abstract data types, includes 
built-in definitions for many of the commonly used data types, such as Booleans, Inte- 
gers, Natural numbers, etc., and allows users to specify their own data sorts. In addition, 
container sorts, such as lists, sets and bags are available. 

The process specification language of mCRL2 consists of only a small number of 
basic operators and primitives. The language is inspired by process algebras such as 
ACP [1], and has both an axiomatic and an operational semantics. 

A set of (parameterised) actions are used to model atomic, observable events. Pro- 
cesses are constructed compositionally: the non-deterministic choice between processes 
p and q is denoted p+q; their sequential composition is denoted p . q, and their parallel 
composition is denoted p I I q. In addition, there are facilities to enforce communication 
between different actions and abstracting from actions. 

The main feature of the process language is that processes can depend on data. 
For instance, b->p<>q denotes a conditional choice between processes p and q: if b 
evaluates to true, it behaves as process p, and otherwise as process q. In a similar vein, 
sum d : D . p (d) describes a (possibly infinite) choice between processes p with different 
values for variable d. 

3.2 From SML to mCRL2 

We next present our formalisation of SML in mCRL2. Every SML class is converted 
to an mCRL2 process definition; the behaviour of an FSM is then described by the be- 
haviour of a process instance. Each FSM maintains a state and a pointer to the code it is 
currently executing. In addition, an FSM is embedded in a global tree-like configuration 
that identifies its parent, and its children. In order to faithfully describe the behaviour 
of an FSM, we therefore equip each mCRL2 process definition for a class X with this 
information as follows: 

proc X_CLASS (self : Id, parent: Id, s: State, chs : Children, 
phase: Phase, aArgs : ActPhaseArgs) 

Parameter self represents a unique identifier for a process instance, and parent is 
the identifier of self's parent in the tree. Parameter s is used to keep track of the state 
of the FSM. The state information of self's children is stored in chs of sort Children, 
which is a list of sort Child, a structured sort: 

Children = List (Child); 

Child = struct child(id: Id, state:State, ptype:PType, busy:Bool); 

The above structured sort Child can be thought of as a named tuple; id represents 
the unique identifier of a child, state is the state that this child sent to X in its last 
state-update message, ptype maintains the FSM class of this child, and busy is the 
flag that indicates that the child is still processing the last command X sent to it. This 
flag is set after sending a message to the child, and reset when it responds with its new 
state. Whenever X receives a state-update message from one of its children, the chs 
structure is updated accordingly. This structure is used to evaluate the when clauses and 
to determine to which processes commands have to be sent. 
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The phase parameter has value WhenPhase if the FSM is executing the when 
clauses and ActionPhase otherwise; Phase is a simple structured sort containing these 
two values. The phases will be explained in detail in the following section. Finally, 
aArgs is a structure that contains information we only need in the action phase. It is 
defined as follows: 

ActPhaseArgs = struct actArgs(cq: CommandQueue , nrf : IdList, 

pc: Int, rsc: Bool) 

We forego a discussion of the nrf and rsc parameters, which are solely used during an 
intialisation phase. The command queue cq contains messages that are to be sent to an 
FSM's children. Specifically, when executing a do C P statement, we add a pair with 
the child's id and the command C to cq, for every child matching the child pattern P. 
The command queue is subsequently emptied by sending the messages stored in cq. 



when phase 

receive state-update 
all guards are false 



evaluating 
when clauses 



command queue is empty 



action phase 



waiting for 
command or 
state-update 



received command 



executing 
statements 



executed 
last statement 



emptying 
command 
queue 



Fig. 2. Overview of the when phase and the action phase. 



Phases During the when phase, a process executes when clauses until it reaches a 
state in which none of the guards evaluate to true. It then moves to the action phase. 
In the action phase, a process can receive a command from its parent or a state-update 
message from one of its children. This process is illustrated in Figure 2. After handling 
the command or message, it returns to the when phase. 

Translating the when phase turns out to be rather straightforward: for each state a 
process term consisting of nested if-then-else statements is introduced, formalised by 
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mCRL2 expressions of the form b->p<>q (if b, then act as process p, otherwise as 
q). Each if-clause represents exactly one when clause. The else-clause of the last when 
clause sends a state-update message (represented by the mCRL2 action send_state) 
with the current state to the parent of this FSM and moves to the action phase. An 
example is given in Translation 1 . 



SML 




mCRL2 


state : 


OFF 


instate_OFF(s) && isWhenPhase (phase) -> ( 


when 


Gl move_to SI 


translation_of _G1 -> 






move_state(self ,S1) . 


when 


Gn move_to Sn 


X_CLASS (self , parent , SI , chs , phase , aArgs) <> 






translation_of _Gn -> 






move_state(self ,Sn) . 






X_CLASS (self , parent , Sn , chs , phase , aArgs) <> 






send_state (self .parent , s) . 






move_phase (self , ActionPhase) . 






X_CLASS ( self , parent , s , chs .ActionPhase , 






reset (aArgs))) 



Translation 1: Simplified translation of the when clauses of a state OFF. Note that 
p . q describes the process p that, upon successful termination, continues to behave as 
process q. 



The move_state action indicates that the process changes its state. The sencLstate 
action communicates with the receive_state action to a comm_state action, repre- 
senting the communication of the new state to the parent. Note that the state is sent only 
if none of the guards are true. Upon sending the new state, the process changes to the 
action phase, signalled by a move_phase action. 

Modelling the action phase is more involved as we need to add some terms for ini- 
tialisation and sending messages. We will focus on the translation of the action clauses 
and the code which handles state-update messages. 

SML allows for an arbitrary number of statements and an arbitrary number of 
(nested) if-statements in every action clause. We uniquely identify the translation of 
every statement with an integer label. After executing a statement, the pc (aArgs) pro- 
gram counter is set to the label of the statement which should be executed next. There 
are two special cases here: 

- Label 0, the clause selector. When entering the action phase, the program counter is 
set to 0. Upon receiving a command, the clause selector sets the program counter to 
the label of the first statement of the action clause that should handle the command. 

- Label -1, end of action. After executing an action, the program counter is set to -1, 
signalling that the command queue must be emptied and the process must change 
to the when phase. 
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An example is given in Translation 2. The receive_command action models the recep- 
tion of a command that was sent by the FSM's parent. Such a command is ignored if no 
action clause handles it. In the example, observe that both after ignoring a command 
and after completing the execution of the STANDBY action handler, the program counter 
is set to -1. A process term not shown here then empties the command queue by issue- 
ing a sequence of send_command actions, and subsequently returns to the when phase. 
Note that these send_command actions and receive_command actions are meant to 
synchronise, resulting in a comm_command action. This is enforced at a higher level in 
the specification. 



SML 


mCRL2 


state: OFF 


instate_OFF(s) && isActPhase (phase) -> ( 


action: STANDBY 


pc(aArgs) == -> 


do STANDBY $ALL$Y 


sum c : Command. ( 


do ON $ALL$Z 


receive_command (parent , self , c) . 


action: OFF 


isC_STANDBY(c) -> 


do OFF $ALL$Y 


X_CLASS (self , parent , s , chs , phase , 


action: ON 


update_pc(aArgs,l)) <> 


do ON $ALL$Y 


isC_0FF(c) -> 




X_CLASS (self , parent , s , chs .phase , 




update_pc(aArgs,3)) <> 




isC_0N(c) -> 




X_CLASS (self , parent , s , chs , phase , 




update_pc(aArgs,4)) <> 




send_state(self .parent , s) . 




ignored_command(self , c) . 




X_CLASS (self .parent , s , chs .phase , 




update_pc(aArgs,-l))) + 




pc(aArgs) == 1 -> 




RPC_Chamber_CLASS( self .parent , s , chs .phase , 




add_HV_STANDBY_commands ( 




update_pc(aArgs,2))) + 




pc(aArgs) == 2 -> 




RPC_Chamber_CLASS( self .parent , s , chs .phase , 




add_LV_0N_ commands ( 




update_pc(aArgs,-l)) + ... 



Translation 2: Simplified translation of the action clauses of a state OFF. 



Since a do statement is asynchronous, the children can send their state-update at 
any time during the action phase. This is dealt with as follows. Suppose a state-update 
message is received. If this precedes the reception of a command in this action phase, 
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we simply process the state-update and move to the when phase. If we are in the middle 
of executing an action clause, we process the state-update, but do not move to the when 
clause. 

3.3 Validating the Formalisation of SML 

The challenge in formalising SML is in correctly interpreting its language constructs. 
We combined two strategies for assessing and improving the correctness of our se- 
mantics: informal discussions with the development team of the language and applying 
formal analysis techniques on sample FSMs taken from the control software. 

The discussions with the SML development team were used to solidify our initial 
understanding of SML and its main constructs. Based on these discussions, we manu- 
ally translated several FSMs into mCRL2, and validated the resulting processes man- 
ually using the available simulation and visualisation tools of mCRL2. This revealed 
a few minor issues with our understanding of the semantics of SML, alongside many 
issues that could be traced back to sloppiness in applying the translation from SML to 
mCRL2 manually. 

In response to the latter problem, we eliminated the need for manually translating 
FSMs to mCRL2. To this end, we utilised the ASF+SDF meta-environment (see [12, 
10]) to rapidly prototype an automatic translator that, ultimately, came to implement 
the translation scheme we described in the previous section. The Syntax Definition For- 
malism (SDF) was used to describe the syntax of both SML and mCRL2, whereas the 
Algebraic Specification Formalism (ASF) was used to express the term rewrite rules 
that are needed to do the actual translation. Apart from the gains in speed and the con- 
sistency in applying the transformations that were brought about by the automation, the 
automation also served the purpose of formalising the semantics of SML. 

The final details of our semantics were tested by analysing relatively well-understood 
subsystems of the control software in mCRL2. We briefly discuss our findings using a 
partly simplified subsystem, colloquially known as the Wheel, see Figure 3. The Wheel 
subsystem is a component of the Resistive Plate Chamber (RPC) subdetector of the 
CMS experiment. It belongs to the barrel region of the RPC subdetector. Each Wheel 
subsystem contains 12 sectors, each sector is equipped with 4 muon stations which are 
made of Drift Tube chambers. We forego a detailed formal discussion of this subsystem 
(for details, we refer to [11]), but only address our analysis of this subsystem using for- 
mal analyses techniques, and the impact this had on our understanding of the semantics 
and the transformation. It is important to keep in mind that the analysis was conducted 
primarily to assess the quality of our translation, the correctness of the subsystem being 
only secondary. 

The mCRL2 specification of the Wheel subsystem was obtained by combining the 
mCRL2 processes obtained by running our prototype implementation on each involved 
FSM. Generating the state space of the Wheel subsystem takes roughly one minute 
using the symbolic state space generation tools offered by the LTSmin tools [4]. This 
toolset can be integrated in the mCRL2 toolset. For the discussed configuration, the 
state space is still of modest proportions, measuring slightly less than 5 million states 
and 24 million transitions. Varying the amount of children of class Sector causes a 
dramatic growth of the state space. Using 3 instead of 2 children of class Sector yields 
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C Monitor 



Wheel subsystem 




Fig. 3. A schematic overview of our model of the Wheel subsystem, and its used FSMs. The 
identifiers of the processes representing the FSMs are given between parentheses; these were 
used in our analyses. 

roughly 800 million states; using 4 children of class Sector, leads to 120 billion states, 
and requires half a day. 

Apart from repeating the simulations and visualisations, at this stage we also applied 
model checking to systematically probe the translation. Together with the development 
team of the Wheel subsystem, a few basic requirements were formalised in the first- 
order modal ^-calculus [8], see Table 1. The first-order modal ^-calculus is the default 
requirement specification language in the mCRL2 toolset. 

The studied subsystem was considered to satisfy all stated properties. While smooth- 
ing out details in the translation of SML to mCRL2, the deadlock-freedom property was 
violated every now and then, indicating issues with our interpretation of SML. These 
were mostly concerned with the semantics of the blocking and non-blocking constructs 
of SML, and the complex constructs used to model the message passing between FSMs 
and their children. 

The absence of intermediate states in the when phase was violated only once in 
our verification efforts. A more detailed scrutiny of the run revealed a problem in our 
translation, which was subsequently fixed. 

The third requirement, stating the inevitability of a state change by a child once 
such a state change has been commissioned, failed to hold. The violation is caused by 
the overriding of commands by subsequent commands that are issued immediately. Dis- 
cussions with the development teams revealed that the violations are real, i.e., they are 
within the range of real behaviour, suggesting that our formalisation was adequate. The 
property was modified to ignore the spurious runs, resulting in the following property: 

nu X. [true]X && 

[comm_command(i , i_c , c)] (mu Y. <true>true && 
[ ! (comm_state(i_c , i , c2s (c) ) I I 

exists c ': Command . comm_command(i , i_c , c ' ) )] Y) 

The final requirement also failed to hold. The violation is similar spirited to the 
violation of the third requirement, and, again found to comply to reality. The weakened 



11 



Table 1. Basic requirements for the Wheel subsystem; i : Id denotes an identifier of an FSM; 
i_c:Id denotes a child of FSM i; c: Command denotes a command;c2s (c) denotes the state 
with the homonymous command name, e.g., c2s (ON) = ON. 



1. Absence of deadlock: 

mi X. [true]X kk <true>true 

2. Absence of intermediate states in the when phase: 

mi X. [true]X kk 

[exists s:State. move_state(i,s)] (nu Y. 

[( !move_phase(i,ActionPhase))]Y 
kk [exists s: State. move_state(i,s)] false) 

3. Responsiveness: 

nu X. [true]X kk 

[comm_command(i , i_c , c)] (mu Y. 

<true>true kk [ ! comm_state (i_c , i , c2s(c) )] Y) 

4. Progress: 

nu X. [true]X kk 

mu Y. <exists s: State. move_state (i , s)>true 

I I 

(<true>true kk [true]Y) 



requirement that was subsequently agreed upon expresses the attainability of some state 
change: 

nu X. [true]X kk 

mu Y. <exists s:State. move_state(i,s)>true I I <true>Y 

Neither visual inspection of the state space using 2D and 3D visualisation tools, nor 
simulation using the mCRL2 simulators revealed any further incongruences in our final 
formalisation of SML, sketched in the previous section. 

4 Dedicated Tooling for Verification 

Some desired properties, such as the absence of loops within the when phase, can be 
checked by analysing an FSM in isolation, using the transformation to mCRL2. How- 
ever, the verifications using the modal ^-calculus currently require too much overhead 
to serve as a basis for lightweight tooling that can be integrated in the SML development 
environment. 

In an attempt to improve on this situation, we explored the possibilities of using 
Bounded Model Checking (BMC) [3, 2]. The basic idea of BMC is to check for a coun- 
terexample in bounded runs. If no bugs are found using the current bound, then the 
bound is increased until either a bug is found, the problem becomes intractable, or 
some pre-determined upper bound is reached upon which the verification is complete. 
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The BMC problem can be efficiently reduced to a propositional satisfiability problem, 
and can therefore be solved by SAT methods. SAT procedures do not necessarily suffer 
from the space explosion problem, and a modern SAT solver can handle formulas with 
hundreds of thousands of variables or more, see e.g. [2]. 

We have applied BMC techniques for the detection of move_to loops and the detec- 
tion of unreachable states and trap states. As an example of a move_to loop, consider 
the excerpt of the ECALf w_CoolingDee FSM class in Listing 3, which our tool found to 
contain issues. If an instance of ECALf w_CoolingDee has one child in state ERROR and 
one in state N0_C0NNECTI0N, it will loop indefinitely between these two states. Once 
this happens, an entire subsystem may enter a livelock and become unresponsive. 



state : 


ERROR 










when 


( $ANY$FwCHILDREN 


in. 


.state 


N0_C0NNECTI0N ) 


move_to N0_C0NNECTI0N 


when 


( $ALL$FwCHILDREN 


in. 


.state 


OK ) move_to OK 




state : 


NCLCONNECTION 










when 


( $ALL$FwCHILDREN 


in. 


.state 


OK ) move_to OK 




when 


( $ANY$FwCHILDREN 


in. 


.state 


ERROR ) move_to 


ERROR 



Listing 3: An excerpt from the ECALf w_CoolingDee FSM that exhibits a loop within 
the when phase. 



We first convert this problem into a graph problem as follows. Let T be an FSM 
and M be a Kripke structure. A state in M corresponds to the combined state of T and 
its children, e.g., if JF is in state ON and has two children which are in state OFF, then 
the corresponding state in M. is (ON, OFF, OFF). There is a transition between two states 
s\ and S2 in M if and only if si can do a move_to action to s 2 in J ' . Moreover, every 
state in M is an initial state. It thus suffices to inspect M instead of T, as stated by the 
following lemma: 

Lemma 1. T contains a loop of movent o actions if and only if M. contains a loop. 

We next translate the problem of detecting a loop in M into a SAT problem. First, 
we consider executions of length k; afterwards, we show that we can statically choose 
k such that we can find every loop. 

Let the predicate instate be defined as follows: in_state(s,p, i) holds if and only 
if the process with identifier p is in state s after i steps. We assign the identifier zero to 
the FSM under consideration and the numbers 1,2,3,... to its children. The resulting 
formula will have three components: the state constraints, the transition relation and 
the loop condition. 

Using the state constraints, we ensure the FSM to always be in exactly one state. 
Moreover, the states of the children should not change during the execution of the when 
phase, per the semantics in the previous section. This is straigthforwardly expressed as 
a boolean formula on the instate predicate. 

Next, we encode the transition relation: the relation between instate(s, 0, i) and 
instate(s', 0, i + 1) for every i. In other words: the move_to steps the parent process is 



13 



allowed to take. This involves converting the when clauses for each state of the parent 
FSM, taking care the semantics as outlined in the previous section is reflected. The last 
ingredient is the loop condition: if in_state(s, 0, 0) holds, then in_state(s,0 7 i) must 
hold for some i > 1, indicating that the parent returned to the state in which it started. 

The final SAT formula is obtained by taking the conjunction of the state constraints, 
the transition relation and the loop condition. It is not hard to see that if this formula is 
satisfiable, then there is a loop in M. and hence in J ' . It is more difficult to show that 
if there is a loop, then the formula is satisfiable. Let n be the total number of states of 
the FSM and let n t be the total number of states of each child class t. We then have the 
following result: 

Theorem 1. All possible loops in T can be found by considering paths of length at 
most n in an FSM configuration T having n t children for each child class t. 

Proof (sketch). Since T only has n states, the longest possible loop also contains n 
states. Since every state in Ai is an initial state, every possible loop can by found by 
doing n steps from an initial state. 

It remains to show that all loops can be found by considering a configuration with n t 
children for each child class t. This follows from the fact that SML guards are restricted 
to check for any or all children in a particular state. □ 

A second desirable behavioural property of an FSM is that all states should remain 
reachable during the execution of an FSM. While we can again easily encode this prop- 
erty into the modal /i-calculus, we use a more direct approach to detect violations of 
this property by constructing a graph that captures all potential state changes. For this, 
we determine whether there is a configuration of children such that T can execute a 
move_to action from a state s to a state s'. Doing so for all pairs (s, s') of states of T 
yields a graph encoding all possible state changes of T . 

Computing the strongly connected components (SCCs) of the thusly obtained graph 
gives sufficient information to pinpoint violations to the reachability property: the pres- 
ence of more than a single SCC means that one cannot move back and forth these 
SCCs (by definition of an SCC), and, therefore, their states. Note that this is an under- 
approximation of all errors that can potentially exist, as the actual reachability dynami- 
cally depends on the configuration of the children of an FSM. Still, as the state change 
graph of the ESf w_Endcap FSM class in Figure 4 illustrates, issues can be found in pro- 
duction FSMs: the OFF state can never be reached from any of the other states. Using 
the graphs generated by our tools, such issues are quickly explained and located. 

Results The results using our dedicated tools for performing these behavioural sanity 
checks on isolated FSMs are very satisfactory: of the several hundreds of FSM classes 
contained in the control system, we so far analysed 40 FSM classes and found 6 to 
contain issues. In 4 of these, we found logical errors that could give rise to livelocks 
in the system due to the presence of loops in the when phase; an example thereof is 
given in Listing 3. Somewhat unexpectedly, all loops were found to involve two states. 
Note that the size of the average FSM class (in general more than 100 lines of SML 
code, and at least two children) means that even short loops such as the ones identified 
so far remain unnoticed and are hard to pinpoint. The remaining two FSM classes were 
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Fig. 4. The state change graph for the ESfw_Endcap FSM class. The solid lines are bidirectional; 
the dotted lines are unidirectional state changes. The SCCs are indicated by the dashed frames. 

found to violate the required reachability of states, see e.g. Figure 4. The speed at which 
the errors can be found (generally requiring less than a second) means that the sanity 
checks could easily be incorporated in the design cycle of the FSMs. 

5 Conclusion 

We discussed and studied the State Machine Language (SML) that is currently used for 
programming the control software of the CMS experiment running at the Large Hadron 
Collider. To fully understand the language, we formalised it using the process algebraic 
language mCRL2. The quality of our formalisation was assessed using a combination 
of simulation and visualisation of the behaviour of FSMs in isolation and formally 
verifying small subsystems using model checking. To facilitate, among others, the as- 
sessment, the translation of SML to mCRL2 was implemented using the ASF+SDF 
meta-environment. Based on our understanding of the semantics of SML, we have built 
dedicated tools for performing sanity checks on isolated FSMs. Using these tools we 
found several issues in the control system. These tools have been well-received by the 
engineers at CERN, and are considered for inclusion in the development environment. 

Our formalisation of SML opens up the possibility of verifying realistically large 
subsystems of the control system; clearly, it will be one of the most challenging veri- 
fication problems currently available. In our analysis of the Wheel subsystem, we have 
only used a modest set of tools for manipulating the state space; symmetry reduction, 
partial order reduction, parallel exploration techniques, abstractions and abstract in- 
terpretation were not considered at this point. It remains to be investigated how such 
techniques fare on this problem. 

Acknowledgments. We thank Giel Oerlemans, Dennis Schunselaar and Frank Staals 
from the Eindhoven University of Technology for their contribution to a first draft of the 
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A ASF and SDF files 



A.l midtools.sdf 



7.7. Module that defines the identifiers used throughout our languages. 

module midtools 
imports 

basic/Whitespace 

basic/Comments 

basic/Booleans 

basic/Integers 

sorts 

7.7, B3 from the mCRL2 spec. 

Mid 

MIds 

lexical restrictions 

Mid -/- [a-zA-Z0-9\_V] 

lexical syntax 

[a-zA-Z\_] ([a-zA-Z0-9\_\'])* -> Mid 

context-free syntax 
7,7. Identifiers (B3) 
{Mid ",">+ -> MIds 

7,7, Concatenate two MIds . 

concat(MId, Mid) -> Mid 

7,7, Return whether an Mid is in a list of MIds. 

contains(MId, Mid*) -> Boolean 

'/,'/, Given a list, remove all duplicates. If the list contains two identical elements 
7,7, only the *rightmost* element will be preserved. 

removeDuplicates(MId*) -> Mid* 

7,7, Remove all occurrences of an element from a list. 

remove(MId, Mid*) -> Mid* 

7,7, Compute the set intersection of two lists. The resulting list has no duplicates, 
intersect (Mid*, Mid*) -> Mid* 

7.7, Returns true iff the list is empty. 

empty(MId*) -> Boolean 

7,7. Returns the length of a list of MIds. 

length(MId*) -> Integer 

hiddens 
variables 

"$mid"[0-9]* -> Mid 

"$mid+"[0-9]* -> MId+ 

"$mid*"[0-9]* -> Mid* 

"$i" -> Integer 

lexical variables 

"#midKead"[0-9]* -> [a-zA-Z\_] 

"#midTailChar " [0-9] * -> ( [a-zA-Z0-9\_\ J ] ) 

"#midTail" [0-9]* -> ( [a-zA-Z0-9\_\ >] ) * 



A.2 midtools.asf 

[concat-l] 

concat(mid(#midHeadl #midTaill) , mid(#midHead2 #midTail2)) = mid(#midHeadl #midTaill #midHead2 #midTail2) 

[contains-empty] 
contains ($mid, ) = false 

[ c ont a in s -mat ch] 

contains ($mid, $mid $mid*) = true 

[contains-nomatch] 
$midl ! = $mid2 

contains($midl , 3>mid2 $mid*) = contains ($midl , $mid*) 
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[removeDuplicates-empty] 
removeDuplicates () = 

[removeDuplicates -many-no nunique] 
contains($mid, $mid*) == true 

removeDuplicates($mid $mid*) = removeDuplicates($mid*) 

[removeDuplicates-many-unique] 
contains($mid, $mid*) == false 

removeDuplicates($mid $mid*) = $mid removeDuplicates($mid*) 

[remove-empty] 
remove ($mid, ) = 

[remove-many-nomatch] 
$midl != $mid2 

remove($midl , $mid2 $mid*) = $mid2 remove ($midl , $mid*) 
[remove-many-match] 

remove($mid, $mid $mid*) = remove($mid, $mid*) 



[inter sect-empty] 
intersect (, $mid*2) = 

[ inter se ct -many -mat ch] 
contains ($mid, $mid*2) == true 

intersect($mid $mid*l, $mid*2) = 

[ inter se ct -many-nomat ch] 
contains ($mid, $mid*2) == false 

intersect($mid $mid*l, $mid*2) = 

[empty-true] 
empty () = true 

[empty-false] 
empty($mid+) = false 

[length-empty] 
length () = 

[length-many] 

$i := length($mid*) 

length($mid $mid*) = $i + 1 



$mid intersect ($mid*l , $mid*2) 



intersect ($mid*l , $mid*2) 



.3 cfsm.sdf 

*/,'/, Authors: 

'/'/, Vincent Kusters 

'/,'/, Dennis Schunselaar 

module cfsm 
imports 

basic/Comments 

basic/Whit espace 

midtools 

context-free start-symbols 
FSMSpecification 



sorts 

Identifier 

FSMSpecification 

FSMClass 

FSMStateClause 

FSMWhenClause 

FSMRef erer 

FSMActionClause 

FSMStatement 

FSMParameter 

FSMExpression 



FSMChildrenSpec 
FSMChildrenAny 



FSMChildrenAll 
FSMChildrenAnySpecific 
FSMChildrenAnyFwChildren 
FSMChildrenAllSpecif ic 
FSMChildrenAllFwChildren 

FSMClassName 
FSMStateName 
FSMStateNameSpec 
FSMActionName 



lexical syntax 

"!" "=" ~[\n]* [\n] -> LAYOUT 
"/associated" ~ [\n] * [\n] -> LAYOUT 
"/ASSOCIATED" ~[\n]* [\n] -> LAYOUT 
[A-zA-Z0-9]* -> Identifier 



context-free syntax 

'/,'/, Rule for the top level sort. 
FSMClass+ 



-> FSMSpecif icatif 



'/,'/, Rules for the various clauses. 

"class: $FWPART_$TOP$" FSMClassName FSMStateClause+ 
"state:" FSHStateName FSHWhenClause* FSMActionClause* 
"when" "(" FSHExpression ")" FSMReferer+ 
VI, "when" "(" "not" "(" FSMExpression ")" ")" FSMRefe: 



"actio 



FSMActionName FSMStatement* 



FSMClass 
FSMStateClause 

■ FSMWhenClause 

■ FSMWhenClause 
FSMActionClause 



7,7, Rules for the statements. 

Identifier 
"move_to" FSMStateName 
"do" FSMActionName FSMChildrenSp. 
"do" FSMActionName "(" FSMParame 



"if" "(" FSMExpri 



rameter "=" FSMParamet- 
then" FSMStatement+ ("■ 



-> FSMParameter 
-> FSMStatement 
-> FSMStatement 
")" FSMChildrenSpe< 
e" FSMStatement+)? 



-> FSMStatement 
'endif" -> FSMStatement 



7,7, Rules for the refe 
"move.to" FSMStateNam 
"do" FSMActionName 



■ FSMRefe: 

■ FSMRefe: 



7,7, Rules for expressions. 

FSMChildrenSpec "in.state" FSMStateNameSpec -> FSMExpre: 

FSMChildrenSpec "not_in_state" FSMStateNameSpec -> FSMExpre^ 

"not" "(" FSHExpression ")" -> FSMExpri 

"not" "(" FSHExpression ")" "and" "(" FSMExpression ")" -> FSHExpres; 



"(" FSMExpres: 
FSMExpression 
FSMExpression 



'and" FSMExpression 
"or" FSMExpression 



7,7, Rules for state i 

FSMStateHame 

"{" {FSMStateName " 



ame specifications . 



■ FSMExpression 

■ FSMExpression {left} 

■ FSMExpression {left} 



■ FSMStateNameSpec 

■ FSMStateNameSpec 



*/,'/, Rules for sets of children. 



"(" FSMChildrenSpe< 

FSMChildrenAny 

FSMChildrenAll 



-> FSMChildrenSpec 
-> FSMChildrenSpec 
-> FSMChildrenSpec 



FSMChildrenAnySpecific 
FSMChildrenAnyFwChildren 
FSMChildrenAllSpecif ic 
FSMChildrenAllFwChildren 



-> FSMChildrenAny 

> FSMChildrenAny 
-> FSMChildrenAll 

> FSMChildrenAll 



"$ANY$" FSMClassName 
" $ANY$FwCHILDREN " 
" $ANY$FwCHILDREN " 



-> FSMChildrenAnySpecific 

-> FSMChildrenAnyFwChildren 

-> FSMChildrenAnySpecific {reject} 



"$ALL$" FSMClassName 
" $ALL$FwCHILDREN " 
"$ALL$FwCHILDREN" 

Mid -> FSMClassName 
Mid -> FSMStateName 
Hid -> FSMActionName 



-> FSMChildrenAllSpecif ic 

-> FSMChildrenAllFwChildren 

-> FSMChildrenAllSpecif ic {reject} 



A.4 mcrlt.sdf 

7,7, Author: Vincent Kusters. 

module merit 
imports 
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10 



basic /White spao 
basic/Comments 
basic/Integers 
midtools 

exports 
X X Number 
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20 



25 



30 



35 



40 



45 



50 



55 



7.7. B4 

SortExpr 

Domain 

SortSpec 

SortDecl 

ConstrDecl 

ProjDecl 

ProjDecls 

7.7. B5 

IdDecl 

IdsDecl 

OpSpec 

OpDecl 

7.7. B6 

EqnSpec 

EqnDecl 

XX B7 
DataExpr 
DataExprs 
BagEnumElt 
BagEnumElt s 

XX B8 

MAId 

MAIdSet 

CommExpr 

CommExprSet 

RenExpr 

RenExprSet 

XX B9 
ProcExpr 

XX B10 
ActDecl 
ActSpec 

XX Bll 
ProcDecl 
ProcSpec 
Init 



60 



65 



70 



75 



80 



85 



90 



XX B12 
MCRL2Spec 

lexical restrictions 

Mid -/- [a-zA-Z0-9\_V] 

context-free start-symbols 
MCRL2Spec 

lexical syntax 

XX We disallow comments starting with "XX" 
XX ambiguity with ASF+SDF comments. 
[\r\t\n\ ] -> LAYOUT 

C-[\'/.] ~[\n]*)? [\n] -> LAYOUT 



XX Identify 
'/, We will 



this leads to 



(B3) 

Integer instead of Number. 



XX Keywords 


B1J 




"sort " 


-> 


Mid 


{reject> 




-> 


Mid 


{reject> 


"map" 


-> 


Mid 


{reject> 




-> 


Mid 


{reject> 


"eqn" 


-> 


Mid 


{reject> 






Mid 


{reject} 


"proc" 




Mid 


{reject} 






Mid 


{reject} 


"delta" 




Mid 


{reject} 






Mid 


{reject} 




-> 


Mid 


{reject} 


"block" 


-> 


Mid 


{reject} 
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allow" 


-> 


Mid 


{r 


ject> 


hide" 


-> 


Mid 


{r 


ject} 


rename" 


-> 


Mid 


{r 


ject} 


comm" 


_> 


Hid 


{r 


ject} 


struct" 


-> 


Mid 


{r 


ject} 


Bool" 


-> 


Mid 


{r 


ject} 


Pos" 


-> 


Mid 


It 


ject} 


Nat" 


-> 


Mid 


{r 


ject} 


Int" 


-> 


Mid 


It 


ject} 


Real" 


-> 


Mid 


{r 


ject} 


List" 


-> 


Mid 


{r 


ject} 


Set" 


-> 


Mid 


{r 


ject} 


Bag" 


-> 


Mid 


{r 


ject} 






Mid 


{r 


ject} 


false" 




Mid 


{r 


ject} 






Mid 


{r 


ject} 






Mid 


{r 


ject} 


lambda" 




Mid 


{r 


ject} 


forall" 




Mid 


{r 


ject} 






Mid 


{r 


ject} 




-> 


Mid 


{r 


ject} 




-> 


Mid 


{r 


ject} 




-> 


Mid 


{r 


ject} 



7.7. Soi 



: and sort declarations (B4) 



"Bool" 

"Pos" | "Nat" | "Int" | 
"List" "(" SortExpr ")" 
"Set" "(" SortExpr ")" 
"Bag" "(" SortExpr ")" 
Mid 

"(" SortExpr ")" 
Domain "->" SortExpr 



-> SortExpr 
-> SortExpr 
-> SortExpr 
-> SortExpr 
-> SortExpr 
-> SortExpr 
-> SortExpr 
-> SortExpr 



{SortExpr "#"}+ 
"sort" SortDecl+ 
Mlds ";" 

Mlds "=" SortExpr 
Mlds "=" " 



{ConstrDecl " | "}+ 



Domain 
Sort Spec 
SortDecl 
SortDecl 
SortDecl 



7,7, Difference with the specification in the reader: 
7,7, the "? Mid" part is obligatory. 

Mid ("(" ProjDecls ")")? ("?" Mid) -> ConstrDecl 

(Mid ":")? Domain -> ProjDecl 

{ProjDecl ","}+ -> ProjDecls 



7,7, Declarations of constructors and mappings (B5) 
Mid ":" SortExpr -> IdDecl 

Mlds " :" SortExpr ";"? -> IdsDecl 
("cons" | "map") DpDecl+ -> OpSpec 
IdsDecl " ; " -> OpDecl 



7,7. Declaration of equations (B6) 

"eqn" EqnDecl+ -> EqnSpec 

"var" IdsDecl+ "eqn" EqnDecl+ -> EqnSpec 

DataExpr "=" DataExpr ";" -> EqnDecl 

DataExpr "->" DataExpr "=" DataExpr ";" -> EqnDecl 



7,7. Data expressions (B7) 

Mid | Integer | "true" | "false" | " [] " | 

" [" DataExprs "] " 

"{" DataExprs "}" 

"{" BagEnumElts "}" 

"{" IdDecl "|" DataExpr "}" 

" ( " DataExpr " ) " 

7,7, DataExpr with arguments was moved to tl 
("!" | "#") DataExpr 
("forall" | "exists") IdDecl 
7,7, DataExpr with the binary 

"lambda" IdDecl " . " DataExpr 
DataExpr "whr" DataExprs "end" 

{DataExpr ","}+ 

DataExpr " : " DataExpr 
{BagEnumElt " ,"}* 



DataExpr 
operators was 



"{}" -> DataExpr 

-> DataExpr 

-> DataExpr 

-> DataExpr 

-> DataExpr 

-> DataExpr 
ie context-free priority se 

-> DataExpr 

-> DataExpr 
moved to the context-free 



-> DataExpr 
-> DataExpr 



7,7, Communication and renaming (B8) 



{Mid "|"}+ 
"{" {MAId ","}* 
MAId ("->" Mid)? 
"{" {CommExpr " , "}* "}' 
Mid "->" Mid 
"{" {RenExpr ","}* "}" 



• MAId 

-> MAIdSet 

-> CommExpr 

-> CommExprSet 

-> RenExpr 

-> RenExprSet 
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180 



185 



200 



210 



220 



225 



*/,*/, Process expressions (B9) 

Mid -> ProcExpr 

Mid "(" DataExprs ")" -> ProcExpr 

"delta" -> ProcExpr 

"tau" -> ProcExpr 
'/,'/, Sum was moved to the context-free priorities section, 

("block" | "allow" | "hide") "(" MAIdSet "," ProcExpr ")" -> ProcExpr 

"rename" " (" RenExprSet " , " ProcExpr ") " -> ProcExpr 

"comm" " (" CommExprSet " , " ProcExpr ") " -> ProcExpr 

"(" ProcExpr ">" -> ProcExpr 
'/,'/, ProcExpr with binary operators was moved to the context-free 
'/,'/, priorities section. 



7,7, Action declaration (B10) 
190 MIds (":" Domain)? " ; " -> ActDecl 

"act" ActDecl+ -> ActSpec 

7,7, Process and initial state declaration (Bll) 

Hid "=" ProcExpr ";" -> ProcDecl 

195 Mid "(" {IdsDecl ",">+ ")" "=" ProcExpr ";" -> ProcDecl 

"proc" ProcDecl+ -> ProcSpec 

"init" ProcExpr ";" -> Init 



7,7, Syntax of an mCRL2 specification (B12) 

SortSpec* DpSpec* EqnSpec* ActSpec* ProcSpec* Init* - 



context-free priorities 
7,7, B9 

ProcExpr "@" ProcExpr -> ProcExpr : 

205 "sum" {IdDecl ","}+ "." ProcExpr -> ProcExpr : 

ProcExpr "." ProcExpr -> ProcExpr {right} : 

ProcExpr "<<" ProcExpr -> ProcExpr {left} : 

{ 

ProcExpr " II " ProcExpr -> ProcExpr {right} 



ProcExpr " | " ProcExpr -> ProcExpr {right} 

ProcExpr "||_" ProcExpr -> ProcExpr {right} 

} : 



215 ProcExpr "+" ProcExpr -> ProcExpr {right} > 



DataExpr 


"->" ProcExpr 


"<>" ProcExpr -> 


DataExpr 


"->" ProcExpr 


-> 


ProcExpr 


"+" ProcExpr 


-> 


7,7, B7 






DataExpr 


" (" DataExprs 


")" 


DataExpr 


("|>" | "<|") 


DataExpr 


DataExpr 


"++" DataExpr 




DataExpr 


(».« | »*■' | 


div" ) DataExpr 


DataExpr 


| DataExpr 


DataExpr 


("mod" | "in 


) DataExpr 


DataExpr 


(.„. i 


"<" 1 ">" 1 "<=" 


DataExpr 


CM" i "ii" 


"=>") DataExpr 



-> DataExpr > 

-> DataExpr {left} > 

-> DataExpr {left} > 

-> DataExpr {left} > 

-> DataExpr {left} > 

-> DataExpr {left} > 

=") DataExpr -> DataExpr {left} > 

-> DataExpr {left} 



A.5 cfsm2mcrl2.sdf 

1 7,7, Module for converting the CERH Finite State Machines into mCRL2 code. 

module cfsm2mcrl2 

5 imports cf sm 

imports merit 

imports genericclauses 

imports midtools 

imports basic/Integers 

10 imports basic/BoolCon 

exports 

context-free start-symbols 
15 SortDecl+ ProcExpr 

context-free syntax 

7,7, Main convertor function to convert a FSM class to an MCRL2 specification. 
20 cf sm2mcrl2(FSMClass+) -> ProcSpec+ 

7,7, Convertor function to convert a FSM class to an MCRL2 specf ication , with the added 
7,7, property that the result will be a bottom monitor. That is, it has no children and 
7,7, whenever it would normally check the state of children, it will instead check 

25 7,7, randomSt ate Changes . 

cf sm2mcrl2bm(FSMClass+) -> ProcSpec+ 

7,7, Function to generate the PType, State and Command sorts from a number of FSM classes. 
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30 



35 



55 



100 



105 



f smGenerateSorts (FSMClass+) -> SortDecl+ 

'/,'/, Function to generate the list of process names from a list of process specificatif 
mcrl2GetPTypes (ProcSpec+) -> SortDecl 
hiddens 

ProcName ActionClauseTuple UniqueProcName PC 
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context-free syntax 

7.7.7.7.7.7.7.7.7.7.7.7. Specification Conversion 

Mid -> ProcName 

Integer -> PC 

<FSMActionName, PC, DataExpr, ProcExpr> -> ActionClauseTuple 

45 7,7, Function to convert a number of FSM classes into process definitions, 

f smClasses2Mcrl2Procs(FSMClass+, BoolCon) -> ProcSpec+ 

7,7, The main converion function to convert one FSM Class into a Process, 
f smClass2Mcrl2Proc(FSMClass, BoolCon) -> ProcSpec 

50 fsmClassName2ProcName(MId, BoolCon) -> Mid 

7,7, Conversion functions for a list of states and a single state in the FSM. 
convertStates(FSMStateClause*, ProcName, BoolCon, Mid*) -> ProcExpr 

convertState(FSMStateClause, ProcName, BoolCon, Mid*) -> ProcExpr 

7,7, Conversion functions for the parts in each state. These functions are 
7,7, grouped by phase. First the functions needed in the when-phase . Functions 
7,7, that are requird in both phases are listed in with the when-phase. 



60 



65 



70 



75 



80 



85 



90 



7,7, The conversion of the when-clauses requires a third parameter: the name of 
7,7, the state we are currently converting. 

convertWhenClauses(FSMWhenClause*, ProcName, Mid, ActionClauseTuple*) -> ProcExpr 

convertReferer(FSMReferer, ProcName, Mid, ActionClauseTuple*) -> ProcExpr 

convertExpr(FSMExpression) -> DataExpr 

convertChildrenSpec (FSMChildrenSpec) -> DataExpr 

convertStateNameSpec (FSMStateNameSpec) -> DataExpr 

7,7, Conversion functions for the action clauses. 

combineActionClauseComponents (ActionClauseTuple* , ProcName , FSMStateName) -> ProcExpr 

7,7, Helper function for convertActionClauseComponents and convertRef erer . 
7,7, Returns the fsm action name, mcrl2 condition and mcrl2 effect of an fsm 
7.7. action clause. Action clauses also need the name of the state. As with the 
7,7, when-clauses, this is the third parameter. 

gatherComponentsFromActionClauses(FSMActionClause*, ProcName, Mid, PC) -> <ActionClauseTuple* , PC> 
7,7, Helper function for convertActionClauseComponents. 

get Act ionClauseTupleFor Act ionName (ActionClauseTuple*, FSMActionName) -> ActionClauseTuple 

7.7. Given a list of ActionClauseTuples , construct the summand that selects the 
7,7, right pc for the received command. 

constructClauseSelectors (ActionClauseTuple* , ProcName) -> ProcExpr 

7,7, Conversion functions for the statements inside action clauses. 
convertStatements(FSMStatement*, ProcName, PC, PC, PC) -> <ProcExpr,PC> 
convertStatement(FSMStatement, ProcName, PC, PC, PC) -> <ProcExpr,PC> 

7,7, Helper function for the translation of if statements. 
insertIfBlockingWaiter(ProcName, PC) -> ProcExpr 

7,7, Helpers for the generation of bottom monitors. 

inAnyState(MId*) -> DataExpr 

createObedientCommandAcceptor(FSMActionClause*, ProcName, Mid*) -> ProcExpr 

95 7,7, For the when clauses we need to add a clause describing that we are in a certain 

7,7, state. 

isStateCheck(MId) -> DataExpr 

isStateCheck(MId, Mid) -> DataExpr 

sCommandCheck(MId) -> DataExpr 

isStateCheck" -> DataExpr {reject} 

isCommandCheck" -> DataExpr {reject} 



7i7« Function to prepend 'is_' to an identifier ( MYID = 
toMcrllsFunction(MId) -> Mid 



7,7. Convert a name of a state into an StateName as we will use in Mcrl2 ( OFF => S_DFF ) . 

toMcrlStateName(MId) -> Mid 

"toMcrlStateName" -> DataExpr {reject} 

110 "toMcrlStateName" -> Mid {reject} 

7,7, Convert a name of a command into a CommandName as we wil use in Mcrl2 ( OFF => C_DFF ) . 

toMcrlCmdName(MId) -> Mid 
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7.7.7.7.7.7.7.7.7.7.7.7. Sort generation 



'/.'/. These funct 



equired to generate 



i the FSM cla 



7.7. First functions to create a declaratio 
7,7, name of the class/state/action. So fro: 
7.7. 'Class ? is.myClass'. Similarly for st 
convertClassfJamesToTypeConstrDecl (Mid*) 
convertStateNamesToStateConstrDecl(MId*) 
convert Act ionNamesToCmdConstrDecl (Mid*) 



that is used in 

-> {ConstrDecl "|"}+ 
-> {ConstrDecl "|"}+ 
-> {ConstrDecl "|"}+ 



om the 
generates : 



7.7, The following functions are traversal functions that simply gather all definitions 



7,7, of a ClassName/StateName/Action name in the FSM classes that ' 



collectClasses (FSMSpecificatio 
collectClasses (FSMClass ,MId*) 
collectClasses(FSMChildrenAnySpecif ic,MId*) 
collectClasses (FSMChildrenAllSpecific, Mid*) 

collectStates(FSMSpecification, Mid*) 
collectStates(FSMStateClause+, Mid*) 
collectStates(FSMStateClause, Mid*) 
collectStatesCFSMWhenClause*, Mid*) 
collectStates (FSMWhenClause , Mid*) 
collectStates(FSMStateWameSpec, Mid*) 



-> Mid* {traversal (ai 
-> Mid* {traversal (a< 
-> Hid* {traversal (a. 
-> Hid* {traversal (a. 



; supplied. 
. , top-down , cont inue ) } 
. , top-down , cont inue ) } 
l, top-down, continue) } 
..top-down, continue) } 



■ Hid* {traversal (accu, top-down, continue) } 
top-down, continue) } 
top-down, continue) } 
l, top-down, continue) } 
l, top-down, continue) } 



■ Hid* {traversal (a. 

■ Hid* {traversal(a. 

■ Hid* {traversal (a. 

■ Mid* {traversal (at 

■ Mid* {traversal (accu, top-down, continue) } 



collectCommands(FSMSpecif ication,MId*) 
collectCommands(FSMActionClause,MId*) 



■ Hid* {traversal (accu, top-down, continue) } 

■ Hid* {traversal (accu, top-down, continue) } 



collect Act ionWames(FSMSpecif ication 
collect Act ionWames (FSMActionClause* 



Mid*) 
Mid*) 



■ Hid* {traversal (a 
Hid* {traversal (a 



u, top-down, continue) y 
u, top-down, continue) > 



7,7, Function to add something to a set such that we 
addToSet(MId,MId+) -> Mid* 



do not introduce duplicates. 



7.7.7.7,7,7.7.7,7,7.7.7. ProcNames generation 

mcrl2PTypesFromProcSpecs(ProcSpec+) -> {ConstrDecl "|">+ 
mcrl2PTypesFromProcDecls(ProcDecl+) -> {ConstrDecl "|">+ 



variables 

"$mid" [0-9]* 
"$mid+" [0-9] * 
"$mid*" [0-9] * 
"$mids" [0-9] * 



Mid 

■ MId+ 
Mid* 

■ MIds 



"$f smSpec" [0-9] * 
"$f smClass" [0-9] * 
"$f smClass+" [0-9] * 
"$f smState" [0-9] * 
"$fsmState+" [0-9]* 
" $f smWhenClause " [0-9] * 
"$f smWhenClause+" [0-9] * 
"$f smWhenClause*" [0-9] * 
"$f smActionClause" [0-9] * 
"$f smActionClause*" [0-9] * 
"$f smExpr" [0-9] * 
"$f smExpr*" [0-9] * 
"$f smStatement" [0-9] * 
"$f smStatement+" [0-9] * 
"$f smStatement*" [0-9] * 
"$f smReferer" [0-9]* 



-> FSMSpecif ication 
-> FSMClass 
-> FSMClass+ 
-> FSMStateClause 
-> FSMStateClause+ 
-> FSMWhenClause 
-> FSMWhenClause+ 
-> FSMWhenClause* 
-> FSMActionClause 
-> FSMActionClause* 
-> FSMExpression 
-> FSMExpression* 
-> FSMStatement 
-> FSMStatement+ 
-> FSMStatement* 
-> FSMReferer 



"$f smClassNai 



" [0-9]* 



"$f smChildrenSpec" [0-9] * 
"$f smStateNameSpec" [0-9] * 
"$f smStateWameSpecs*" [0-9] * 
"$f smChildrenAnySpecif ic" [0-9] * 
"$f smChildrenAHSpecif ic" [0-9] * 
"$f smChildrenAnyFwChildren" [0-9 

"$f smChildrenAUFwChildren" [0-9 
"$f smActionName" [0-9] * 



-> FSMChildrenSpec 
-> FSMStateNameSpec 
-> {FSMStateName " ,"}* 
-> FSMChildrenAnySpecif ic 
-> FSMChildrenAllSpecific 
-> FSMChildrenAnyFwChildren 

-> FSMChildrenAllFwChildren 

-> Mid 7.7, must be Mid for toMcrlCommandName 



"$f smStateName" [0-9] * 
"$f smCurrentState" [0-9] * 
"$f smNewState" [0-9] * 
"$f smStateNames" [0-9] * 
"$mcrl2CurrentState" [0-9] * 
"$mcrl2NewState" [0-9] * 



■ Mid 
Mid 
Mid 

■ {FSMStateNar 
Mid 

■ Mid 



"$actionClauseTuple" [0-9] * 
"$actionClauseTuple+" [0-9] * 
"$actionClauseTuple*" [0-9] * 



ActionClauseTuple 
ActionClauseTuple+ 
ActionClauseTuple* 
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200 



205 



210 



215 



220 



"$procDecl" [0-9] * 


-> 


ProcDecl 


"$procDecl+" [0-9] * 


-> 


ProcDecl+ 


"$procDecl*" [0-9] * 


-> 


ProcDecl* 


lf $dataExpr lf [0-9] * 




DataExpr 


"$dataExprs" [0-9] * 


-> 


{DataExpr 


"$procExpr" [0-9] * 




ProcExpr 


"$procSpec" [0-9] * 


-> 


ProcSpec 


"$procSpec+" [0-9] * 




ProcSpec+ 


"$procSpec* n [0-9] * 




ProcSpec* 


"$mcrl2Command" 


-> 


Mid 


"$mcrlActionCondition" 


-> 


DataExpr 


"$mcrlActionEf f ect" 


-> 


ProcExpr 


"$procName" [0-9] * 


-> 


Mid 


"$pc" [0-9]* 


-> 




"$start_pc" [0-9]* 


-> 




"$avail_pc" [0-9] * 


-> 


Integer 


"$jump_pc" [0-9] * 


-> 


Integer 


"$then_pc" [0-9]* 


-> 




"$else_pc" [0-9]* 


-> 


Integer 


"$end_pc" [0-9] * 


-> 


Integer 


"$idsDecls" 


-> 


{IdsDecl 
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"$b" 
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lexical variables 
"#midHead" [0-9]* 
"#midTailChar" [0-9] * 
"#midTail" [0-9]* 



-> [a-zA-Z\_] 

-> ([a-zA-Z0-9\_\']> 

-> C[a-zA-Z0-9\_\'])* 



A.6 cfsm2mcrl2.asf 

1 equations 

[cf sm2mcrl2-l] 

cf sm2mcrl2($f smClass+) = f smClasses2Mcrl2Procs($f smClass+, false) 

5 

7.7. Convertor function to convert a FSM class to an MCRL2 specf ication, with the added 
7.7. property that the result will be a bottom monitor. That is, it has no children and 
'/,'/, whenever it would normally check the state of children, it will instead check 
7.7. randomSt ate Changes . 
10 [cf sm2mcrl2bm-l] 

cf sm2mcr!2bm($f smClass+) = f smClasses2Mcrl2Procs($f smClass+, true) 

7.7. Convert a number of FSM classes into processes. 
[convertSpec-single] 

15 f smClasses2Mcrl2Procs($f smClass, $b) = f smClass2Mcrl2Proc($f smClass, $b) 
[convertSpec-multi] 

f smClasses2Mcrl2Procs($f smClass $fsmClass+, $b) = 

f smClass2Mcrl2Proc($f smClass, $b) f smClasses2Mcrl2Procs($f smClass+, $b) 

20 

7'A In our main function we define the process instance and process declaration, 
[f smClassName2ProcName-bm] 

f smClassName2ProcName($mid, true) = $mid 7.7.concat($mid, _BM) 

25 

[f smClassName2ProcName-nobm] 

f smClassName2ProcName ($mid, false) = $mid 



30 [fsmClass2Mcrl2Proc-l] 

$procName := f smClassName2ProcMame ($f smClassName , $b) , 

$procExpr := convertStates ($f smState* , $procName, $b, collectStates ($f smState+ , )), 

$procSpec := proc $procName (self : Id, parent: Id, s: State, chs : Children, phase: Phase, aArgs : ActPhaseArgs) = 
$procExpr + 
35 insertGenericClauses ($procfJame) ; 

f smClass2Mcrl2Proc(class: $FWPART_$T0P$ $f smClassName $fsmState+, $b) = $procSpec 



40 

7.7. Function for converting a list of states. Each state translation translates to a Process Expression, so 
7i7« this means a list should be translated using the alternative ( + ) operator 
[convertStates-1 -element] 

convertStates($f smState, $procName, $b, $mid*) = convertState ($f smState , $procName, $b, $mid*) 

45 

[convertStates-list] 

convertStates($f smState $fsmState+, $procName, $b, $mid*) = 
convertState($f smState, $procName, $b, $mid*) + 
convertStates($f smState+, $procName, $b, $mid*) 
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7,7, Functon to convert a single state. 
[convertState-nobm] 

<$actionClauseTuple*, $pc> := gatherComponentsFromActionClauses($f smActionClause*, $procName , $f smCurrentState 

convertState (state : $f smCurrentState $f smWhenClause* $f smActionClause* , $procName , false , $mid*) = 
( 

'/. =========== 

7. BEGIN STATE 



7. BEGIN WHEN CLAUSES 

convert WhenClauses ($f smWhenClause* , SprocWame , $f smCurrentState , SactionClauseTuple*) + 
7. END WHEN CLAUSES 



7, BEGIN ACTION CLAUSES 
7, These are the rules: 

7, pc(aArgs) == => no command received yet 

7, pc(aArgs) > => command received, executing action clause 

7, pc(aArgs) == -1 kk cq(aArgs) != [] => action clause executed, but still must send commands 

7, pc(aArgs) == -1 kk cq(aArgs) == [] => action clause executed 

'/,'/, Since the FSM language allows for an arbitrary amount of statements and 

7 t 7. an arbitrary amount of (nested) if -statements , we cannot simply do a 

'/,'/, sequential translation. It is for this reason that we use a label to 

'/,'/, identify the translation of every statement. After executing a 

'/,'/, statement, a program counter is set to the label of the statement which 

'/,'/, should be executed next. There are two special cases here: 

'/,'/, * Label 0, the clause selector. In the action phase, we always first 

'/,'/, have pc == 0. When we receive a command, the clause selector 

'/,'/, determines the label of the first statement of the action clause 

'/,'/, that should handle the command. The program count is then set to 

7,7, this label. 

7,7, * Label -1, end of action. After executing an action, the program 
7,7, counter is set to -1 to signify that we should now empty the 

7,7, sendqueue and move to the when phase. 

7,7, Examples can be found in the translation function of the if -statement . 
7. BEGIN INITIALIZATION CHECK 

((isStateCheck($fsmCurrentState)) kk (isActPhase (phase) ) kk ( ! (initialized(chs) ) ) kk 
(pc(aArgs) == 0) kk (nrf(aArgs) == [])) -> 
start_initialization(self ) . 
$procName (self , parent , s , chs , phase , 

actArgs([], children_to_ids (chs) , 0, rsc(aArgs))) <> 

7. END INITIALIZATION CHECK 

7. BEGIN CLAUSE SELECTOR 

( (initialized (chs) ) -> 
( 

(((isStateCheck($fsmCurrentState)) &fe (isActPhase (phase) ) kk (cq(aArgs) == []) kk (pc(aArgs) == 0)) -> 
sum c : Command. ( 

rc (parent , self , c) . 

const ructClauseSelectors ($actionClauseTuple* , $procName) 

)) + 

7. END CLAUSE SELECTOR 

combineActionClauseComponents (SactionClauseTuple* , $procName , $f smCurrentState) 

)> 

% END ACTION CLAUSES 

% 

'/, END STATE 
7. 

) 

7,7, Functon to convert a single state (bottom monitor variant) . 
[convert St at e-bm] 

$dataExpr := inAnyState (collectStates ($f smWhenClause* , )), 

$procExpr : = createObedientCommandAcceptor ($f smActionClause* , $procName , $mid*) 

convertState(state : $f smCurrentState $f smWhenClause* $f smActionClause* , SprocName, true, $mid*) = 
( 

7. 

7. BEGIN STATE 

% 
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7, BEGIN ACTION CLAUSES 

((isStateCheck($f smCurrentState)) -> 
sum c: Command. 

140 c 

rc (parent , self , c) . 
SprocExpr 

> 

145 

7, END ACTION CLAUSES 

y. 

7, END STATE 

150 •/. 



155 



160 



165 



170 



175 



180 



185 



190 



195 



205 



210 



215 



220 



UUUUVaWX/Xa When Clauses Stuff 
[convert WhenClauses-empty] 

$mcrl2CurrentState := toHcrlStateName ($f smCurrentState) 

convertWhenClausesC, $procName, $f smCurrentState , SactionClauseTuple*) = 
( 

'/. BEGIN WHEN FALLTHR0UGH 

C((isStateCheck($fsmCurrentState)) M (isWhenPhase (phase) ) ) -> 
ss(self, parent, s) . 
move_phase(self , ActionPhase) . 

SprocName (self , parent, s, chs, ActionPhase, reset (aArgs) ) ) 

7. END WHEN FALLTHR0UGH 
) 

[convertRef erer-moveto] 

$mcrl2WewState := toHcrlStateName ($f smNewState) 

convertRef erer(move_to $f smNeuState, SprocName, $mcrl2CurrentState , SactionClauseTuple*) = 
move_state(self , $mcrl2NewState) . 

$procWame(self , parent, Smcrl2NewState , chs, phase, aArgs) 
[convertRef erer-do] 

<$f smActionWame , $start_pc , SmcrlActionCondition, $mcrlActionEf f ect> : = get Act ionClauseTupleFor Act ionName (SactionClauseTuple* , $f smActionName) 

convertRef erer (do $f smActionName , SprocName , $mcrl2CurrentState , SactionClauseTuple*) = 
move_phase(self , ActionPhase) . 
SmcrlActionEff ect 

7,7, Note: the empty list is not allowed here since there must always be an corresponding action. If not, the FSM is 
[get Act ionClauseTupleFor Act ionWame -many-match] 

<$f smActionName, $start_pc, $mcrlActionCondition, $mcrlActionEf f ect> := SactionClauseTuple 

get Act ionClauseTupleForAct ionName (SactionClauseTuple $actionClauseTuple* , Sf smActionName) = 
SactionClauseTuple 

[getActionClauseTupleForActionName-many-nomatch] 

<SfsmActionName2, $start_pc, SmcrlActionCondition, $mcrlActionEf f ect> := SactionClauseTuple, 
Sf smActionNamel != $f smActionName2 

get Act ionClauseTupleForAct ionName (SactionClauseTuple $actionClauseTuple* , Sf smActionNamel) = 
get Act ionClauseTupleForAct ionName (SactionClauseTuple* , $f smActionNamel) 



7,7, When we have multiple elements in our list of when clauses we translate into 
200 7,7, a form of 'c -> a.X <> b' in which 'b' is the translation of the remaining 
7,7, when clauses 
[convertWhenClauses-many] 

Smcrl2CurrentState : = toHcrlStateName ($f smCurrentState) 



convertWhenClauses(when ($fsmExpr) SfsmReferer $f smWhenClause* , SprocName, Sf smCurrentState , $actionClauseTuple*) 
( 

7, BEGIN WHEN 

((isStateCheck(SfsmCurrentState)) kk (isWhenPhase (phase) ) kk 

(convertExpr (Sf smExpr) ) ) -> 
convertRef erer (SfsmReferer, SprocName, Smcrl2CurrentState , SactionClauseTuple*) <> 

7. END WHEN 

( convert WhenClauses (Sf smWhenClause* , SprocName , $f smCurrentState , SactionClauseTuple*) ) 
) 

7,7,7,7,7,7,7,7.7.7.7.7.7.7.7.7.7.7.7.7.7.7, Action Clauses Stuff 
[gatherComponentsFromActionClauses-empty] 

gatherComponentsFromActionClauses ( , SprocName , $f smCurrentState , Spc) = 
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<, $pc> 



225 



230 



235 



240 



[gatherComponentsFromActionClauses-many] 
$start_pcl := $avail_pcl, 
$avail_pc2 := $avail_pcl + 1, 

$mcrl2Command := toHcrlCmdName ($f smActionName) , 

<$procExpr , $avail_pc3> : = convert Statement s ($f smStatement* , $procName , $start_pcl , -1 , $avail_pc2) , 
<$actionClauseTuple* , $avail_pc4> : = 

gatherComponentsFromActionClauses ($f smActionClause* , $procName , $f smCurrentState , $avail_pc3) 

gatherComponentsFromActionClauses (action: $f smActionName $f smStatement* $f smActionClause* , 
SprocName , $f smCurrentState , $avail_pcl) = 

< 
< 

$f smActionName , 
$start_pcl, 

C(isStateCheck($fsmCurrentState)) kk (isActPhase(phase)) kk (cq(aArgs) == [])), 

($procExpr) 
> 

$actionClauseTuple* , $avail_pc4> 



245 [combineActionClauseComponents-empty] 

combineActionClauseComponents ( , $procName , $f smCurrentState) = delta 
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255 



260 



265 



270 



[combineActionClauseComponents-many] 

<$f smActionName, $start_pc, SmcrlActionCondition, $mcrlActionEf f ect> := SactionClauseTuple 
combineActionClauseComponents (SactionClauseTuple $actionClauseTuple* , $procName , $f smCurrentState) 

c 

7. BEGIN ACTION 

($mcrlActionCondition -> 
SmcrlActionEff ect) + 

% END ACTION 

(combineActionClauseComponents ($actionClauseTuple* , $procName , $f smCurrentState) ) ) 

[constructClauseSelectors-empty] 
constructClauseSelectors ( , SprocName) = 
'/. BEGIN ACTION FALLTHR0UGH 



ss (self , parent , s) . 
ignored_command(self , c) . 

SprocName (self , parent , s , chs , phase , update_pc (aArgs , -1) ) 



'/, END ACTION FALLTHR0UGH 



275 



280 
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[constructClauseSelectors-many] 

constructClauseSelectors (<$f smActionName, $start_pc, $mcrlActionCondition, SmcrlActionEf f ect> $actionClauseTuple* , 
$procName) = 

(isCommandCheck($f smActionName) -> $procName (self , parent , s , chs , phase , update_pc (aArgs , $start_pc) ) <> ( 
constructClauseSelectors ($actionClauseTuple* , $procName) ) ) 

[createObedientCommandAcceptor-empty] 

createObedientCommandAcceptor ( , SprocName , $mid*) = constructClauseSelectors ( , SprocName) 

[createDbedientCommandAcceptor-many-nomatch] 
contains ($f smActionName, $mid*) == false 

createObedientCommandAcceptor (action : $f smActionName $f smStatement* $f smActionClause* , $procName , $mid*) = 
createObedientCommandAcceptor ($f smActionClause* , $procName , $mid*) 



290 [ere at eObedientCommandAcceptor-many -match] 
contains ($f smActionName , $mid*) == true , 
$mcrl2NewState := toHcrlStateName($fsmActionName) , 
$mid : = toHcrlCmdName ($f smActionName) 
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300 



305 



createObedientCommandAcceptor (action : $f smActionName $f smStatement* $f smActionClause* , $procName , $mid*) 
((c == $mid) -> 

ss(self, parent, $mcrl2NewState) . 
move_state(self , $mcrl2NeuState) . 

$procName(self , parent, $mcrl2NewState , chs, WhenPhase, (reset (aArgs) ) ) 
<> 

createObedientCommandAcceptor ($f smActionClause* , $procName , $mid*) ) 

nnnnnnn statements 

[convert Statements-empty] 
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310 



315 



320 



325 



330 



335 



340 



345 



350 



355 



360 



365 



370 



375 



380 



385 



390 



XX Some FSMs in the bottommost layer might have actions which do not contain any statements. 
convertStatements ( , $procName , $start_pc , $jump_pc , $avail_pc) = 

< 

( 

X BEGIH STATEMENT NDDP 
(Cpc(aArgs) == $start_pc) -> 
noop_statement (self) . 

($procName (self , parent , s , chs , phase , update_pc (aArgs , $ jump_pc) ) ) ) 
X END STATEMENT N00P 
) 

, $avail_pc> 
[convert Statements-single] 

XX The final statement in a block should jump to the next block (indicated by $jump_pc) . 
convertStatements ($f smStatement , SprocName, $start_pc, $jump_pc, $avail_pc) = 
convertStatement ($f smStatement , $procName , $start_pc , $jump_pc , $avail_pc) 

[convertStatements-multiple] 
$start_pc2 := $avail_pcl, 
$avail_pc2 := $avail_pcl + 1, 

<$procExprl, $avail_pc3> := convertStatement ($f smStatement , $procName , $start_pcl, $start_pc2, $avail_pc2) , 
<$procExpr2, $avail_pc4> := convertStatements($f smStatement+, $procName , $start_pc2, $jump_pc, $avail_pc3) 

convertStatements ($f smStatement $f smStatement + , $procName , $start_pcl , $jump_pc , $avail_pcl) = 
<$procExprl + 
$procExpr2 , $avail_pc4> 

[convertStatement-do] 

convertStatement (do $f smActionName $f smChildrenSpec, $procName , $start_pc, $jump_pc, $avail_pc) = 
< 
( 

BEGIN STATEMENT DO 
((pc(aArgs) == $start_pc) -> 
queue .messages (self ) . 

(3>procName(self , parent, s, chs, phase, 

actArgs (send_command(toMcrlCmdName ($f smActionName) , 

convertChildrenSpec($f smChildrenSpec) ) , [] , $jump_pc , rsc (aArgs) ) ) ) ) 

% END STATEMENT DO 
) 

, $avail_pc> 
[convert St at ement-moveto] 

$mcrl2NewState := toMcrlStateName ($f smNewState) 

convertStatement (move_to $f smNewState , SprocName , $start_pc , $ jump_pc , $avail_pc) = 
< 
( 

% BEGIN STATEMENT M0VE.T0 
((pc(aArgs) == $start_pc) -> 

(ssfself, parent, $mcrl2NewState) . 
move_phase(self , WhenPhase) . 

$procName(self , parent, $mcrl2NewState , chs, ActionPhase , reset (aArgs) )) ) 
% END STATEMENT M0VE.T0 
) 

, $avail_pc> 

[insertlfBlockingWaiter-l] 
insertIfBlockingWaiter($procName, $pc) = 
sum si: State. ( 

rs(id(head(busy_children(chs))) , self, si). 

$procName ( self , parent , s , 

update_busy(id(head(busy_children(chs) ) ) , 

update_state(id(head(busy_children(chs))) , si, chs)) , 
phase, update _pc (aArgs, $pc))) 

[convert St at ement-if thenend] 
$start_pc2 := $avail_pcl, 
$avail_pc2 := $avail_pcl + 1, 
<$procExprl, $avail_pc3> := 

convertStatements ($f smStatement + , $procName , $start_pc2 , $jump_pc , $avail_pc2) , 
$procExpr2 := 

( 

% BEGIN STATEMENT IF -THEN -END IF 
((pc(aArgs) == $start_pcl) -> 
( 

(busy_children(chs) != [] ) -> 

( 

insert If BlockingWaiter ($procName , $start_pcl) 
) 

<> 

( 

((convertExpr($f smExpr) ) -> 
enter_then_clause (self ) . 

3>procName(self , parent, s, chs, phase, update_pc (aArgs , $start_pc2)) <> 
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395 



skip_then_clause (self ) . 
$procName (self , parent , 



chs , phase , update_pc (aArgs , $ jump_pc) ) ) 
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'/, BEGIN THEN 

$procExprl 
7, END THEN 



7, END STATEMENT IF-THEN-ENDIF 
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440 
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460 



465 



convert Statement (if ( $f smExpr ) then $f smStatement+ endif , $procName , $start_pcl , $jump_pc , $avail_pcl) 
< 

$procExpr2, 
$avail_pc3 



[convert St at ement-if thenelseend] 

'/,'/, Suppose we have the following FSM statements (pseudocode) : 
7.7. 
'/.'/. 
'/.'/. 



do STANDBY cl 
if b then 

do ON cl 

do ON c2 

do STANDBY c3 

else 

do OFF cl 
move.to ERROR 
do OFF c2 

do ON c4 



'/.'/. 
'/.'/. 
'/.'/. 
'/.'/. 
'/.'/. 
'/.'/. 
'/.'/. 
7.7. 
7,7, 

7.7. We will now giv. 
7.7. every statement 
7.7. of the line, ani 
7.7. along with some 

7.7. 

7.7. We assume that : 

7.7, * start.pcl = 5 

7,7, * jump.pc = 6 

7,7. * avail_pc = 10 

7.7. 

7.7. The simplified translation follows 
7.7. 



a simplified translation of these statements. For 
we give the label of the statement at the beginning 
the label of the next statement at the end of the line, 
explanations . 



'/.'/. 


5. 


queue STANDBY to cl 


(-> 


10, 


■/:/. 


10. 


IF there is a busy child 






■/.■/. 




THEN get the new state of a busy child 


(-> 


10, 


■/.■/. 




ELSE IF b 






7.7. 




THEN enter_then_clause(self ) 


c-> 


12; 


7.7. 




ELSE enter_else_clause(self ) 


(-> 


13) 


7.7. 


12. 


queue ON command to cl 


(-> 


14; 


7.7. 


14. 


queue ON command to c2 


(-> 


15) 


'/.'/. 


15. 


queue STANDBY command to c3 


<-> 


11; 


'/.'/. 


13. 


queue OFF command to cl 


(-> 


16, 


'/.'/. 


16. 


move to the ERROR state 


(-> 


-l; 


7.7. 


17. 


queue OFF command to c2 


(-> 


11; 


7.7. 


11. 


send ON command to c4 


(-> 


6; 



7,7, 

$start_pc2 := $avail_pcl, 
$start_pc3 := $avail_pcl + 1, 
$avail_pc2 := $avail_pcl + 2, 
<$procExprl, $avail_pc3> := 

convertStatements ($f smStatement+1 , 
<$procExpr2, $avail_pc4> := 

convertStatements ($f smSt at ement+2 , 
$procExpr3 := 

( 



since 10 is the first available label) 
i.e. loop until there are no busy children) 

note that 11 is reserved for the statement after the if statement) 
note that 13 is taken by the first statement of the else clause) 

end of this block, so jump to the statement after the if statement) 
since 14-15 are used by the then-block) 

special case: after a move_to we leave the action phase) 
unreachable due to the move_to on the previous line) 
last statement in the list, so we jump to jump_pc) 



SprocWame, $start_pc2, $jump_pc J $avail_pc2) , 
SprocWame, $start_pc3, $jump_pc, $avail_pc3) , 



7, BEGIN STATEMENT IF-THEN-ELSE-ENDIF 

((pc(aArgs) == $start_pcl) -> 

( 

(busy_children(chs) != [] ) -> 

( 

insert If BlockingWaiter ($procName, $start_pcl) 

) 



470 



475 



( (convert Expr ($f smExpr) ) -> 
enter_then_clause(self ) . 
$procName (self , parent , s 
enter_else_clause(self ) . 
$procName (self , parent , s 



chs, phase, update.pc (aArgs , $start_pc2)) <> 
chs , phase , update_pc (aArgs , $start_pc3) ) ) 



30 



480 



485 
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495 



500 



)) ♦ 
( 

7. BEGIN THEN 

$procExprl 
7, END THEN 
) + 

( 

7, BEGIN ELSE 
$procExpr2 
7, END ELSE 

) 

'/, END STATEMENT IF-THEN-ELSE-ENDIF 
) 

convertStatementCif ( $fsmExpr ) then $f smStatement+1 else $f smStatement+2 endif, $procName, Sstart_pcl, $jump_pc, $avail_pcl) 
< 

$procExpr3, 
$avail_pc4 
> 

7.7.7.7.7.7.7.7.7.7.7.7.7. Expr, 
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520 



525 



530 



7,7, Conversion of expressions. We have two compound types: and-expressions and 

7,7, or-expressions : 

[convertExpr-and] 

convertExpr ($f smExprO and $fsmExprl) = convertExpr ($f smExprO) && convertExpr ($f smExpr 1) 
505 [convertExpr-or] 

convertExpr ($fsmExpr0 or $fsmExprl) = convertExpr ($f smExprO) II convertExpr ($f smExpr 1) 



7,7, And the expressions which check if certain children are in some specific 
7,7, state. These depend on the specified children (either all children, any 
510 7,7, child, all children of a certain type, or any child of a certain type). 



7,7, For the all children/any child we simply use the all_in_state (chs , stateType) 
7,7, translation. 
[convertExpr-allchildren] 

convertExpr ($f smChildrenAUFwChildren in_state $f smStateNameSpec) = 

all_in_state (convertChildrenSpec ($f smChildrenAUFwChildren) , convertStateNameSpec ($f smStateNameSpec)) 
[ convertExpr -any chi ldren] 

convertExpr ($f smChildrenAnyFwChildren in_state $f smStateNameSpec) = 

any_in_state (convertChildrenSpec ($f smChildrenAnyFwChildren) , convertStateNameSpec($f smStateNameSpec)) 

7,7, For the translation of 'all children of type T' we should make sure to use a 
'/,'/, subset of our children 'chs'. To do that the convert ChildrenSpec function 
'/,'/, will make sure we apply the 'f ilter_children' method, 
[convert Expr-allinst at especific] 

convertExpr ($f smChildrenAHSpecif ic in_state $f smStateNameSpec) = 

all_in_state(convertChildrenSpec($f smChildrenAHSpecif ic) , convertStateNameSpec($f smStateNameSpec)) 
[convert Expr-anyinst at especific] 

convertExpr ($f smChildrenAnySpecif ic in_state $f smStateNameSpec) = 

any_in_state(convertChildrenSpec($f smChildrenAnySpecif ic) , convertStateNameSpec($f smStateNameSpec)) 

[convert Expr-notallchildren] 

convertExpr (not ($f smChildrenAUFwChildren) in_state $f smStateNameSpec) = 

! (all_in_state(convertChildrenSpec($f smChildrenAUFwChildren) , convertStateNameSpec($f smStateNameSpec))) 

535 [convertExpr-notallinstatespecif ic] 

convertExpr (not ($f smChildrenAHSpecif ic) in_state $f smStateNameSpec) = 

! (all_in_state(convertChildrenSpec($f smChildrenAHSpecif ic) , convertStateNameSpec($f smStateNameSpec))) 

540 '/,*/, We now repeat these translations for the not_in_state expressions. 
[convertExpr-allchildren-not] 

convertExpr ($f smChildrenAUFwChildren not_in_state $f smStateNameSpec) = 

! (any_in_state(convertChildrenSpec($f smChildrenAUFwChildren) , convertStateNameSpec($f smStateNameSpec))) 
[convertExpr-anychildren-not] 
545 convertExpr ($f smChildrenAnyFwChildren not_in_state $f smStateNameSpec) = 

! (all_in_state (convertChildrenSpec ($f smChildrenAnyFwChildren) , convertStateNameSpec ($f smStateNameSpec) ) ) 
[convertExpr-allinstatespecif ic-not] 

convertExpr ($f smChildrenAHSpecif ic not_in_state $f smStateNameSpec) = 

! (any_in_state (convertChildrenSpec ($f smChildrenAHSpecif ic) , convertStateNameSpec ($f smStateNameSpec))) 
550 [convertExpr-anyinstatespecif ic-not] 

convertExpr ($f smChildrenAnySpecif ic not_in_state $f smStateNameSpec) = 

! (all_in_state (convertChildrenSpec ($f smChildrenAnySpecif ic) , convertStateNameSpec ($f smStateNameSpec))) 

555 7,7, Expressions can have brackets, simply leave them as they are and translate 
'/,*/, the epxression inside them. 
[convertExpr-bracket] 

convertExpr(($fsmExpr)) = (convertExpr ($f smExpr)) 



560 



*/,*/, Apply the filter on the childrenlist . 
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570 



585 



590 



595 



605 



615 



[convertChildrenSpec-alltype] 

convertChildrenSpec($ALL$ $f smClassName) = f ilter_children(chs, concat($f smClassName, _ CLASS) ) 
[convertChildrenSpec-anytype] 

convertChildrenSpec($AWY$ $f smClassName) = f ilter_children(chs, concat($f smClassName, _ CLASS) ) 
[convert Children-all] 

convertChildrenSpec($f smChildrenAUFwChildren) = chs 
[convert Children- any] 

convertChildrenSpec ($f smChildrenAnyFwChildren) = chs 



7.7. Conversion of the StateNameSpec in the FSMs into a list of states. A 
7,7, StateWameSpec is either a simple state name: 
[convert St at eWameSpec-single] 

convert StateWameSpec ($f smStateWame) = [toMcrlStateWame ($f smStateWame)] 
7,7, Or a set of state names in the form "{ namel, name2, ... J". We can then 
575 7,7, distinguish two cases: We have exactly one statename or multiple statenames 
[convert St at eWameSpec-single-in-multiple] 

convert St at eWameSpec({$f smStateWame}) = [toMcrlStateWame ($f smStateWame)] 
[convert St at eWameSpec-multiple] 

[ $dataExprs ] := convertStateNameSpec ({$f smStateNames}) 

580 ---> 

convertStateWameSpec({$fsmStateWame, $f smStateWames}) = [toHcrlStateName ($f smStateName) , $dataExprs] 

[inAny St at e - empty] 
inAnyStateO = false 



[inAnyState-one] 

inAnyState($mid) = isStateCheck($mid, si) 
[inAnyState-many] 

inAnyState($mid $mid+) = isStateCheck($mid, si) | | inAnyState ($mid+) 



7.7.7.7.7.7.7.7. Lexical Stuff 'IXIXIXIXIXk 



7.7. Create a check if the currentState is state id, i.e. convert idStateCheck(myState) into: isMyState(s) . 
[isStateCheck-2] 

mid(#midHead #midTail) := toMcrlIsFunction(toMcrlStateName($midl)) 
isStateCheck($midl, $mid2) = mid(#midHead #midTail) ($mid2) 



[isStateCheck-1] 
600 isStateCheck($mid) = isStateCheck($mid, s) 



7.7. Same for command checks. 
[isCommand-c] 

mid(#midHead #midTail) := toMcrlIsFunction(toMcrlCmdName($mid)) 
isCommandCheck($mid) = mid(#midHead #midTail)(c) 



7,7, Function to prepend the is to the function name. 
[toHcrllsFunc] 

610 toMcrlIsFunction(mid(#midHead #midTail)) = mid(is #midHead #midTail) 



[toMcrlState-1] 

toMcrlStateName(mid(#midHead #midTail)) = concat(S_, mid(#midHead #midTail)) 
[toMcrlCmd-1] 

toMcrlCmdWame(mid(#midHead #midTail)) = concat(C_, mid(#midHead #midTail)) 

'/.'/X/X/X/. Create Sort declaration stuff 

620 7,7, We generate the sort declarations for the Process Type, State and Command. 

7,7, All these sorts are structs. So for each one collect all names of Classes 
7,7, (=Process Types)/States/Actions and create the struct declarations from 
7,7, these names 
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630 



635 



[generateSorts] 

fsmGenerateSorts($fsmClass+) = 

PType = struct convertClassNamesToTypeConstrDecl (collectClasses ($f smClass+ , ) ) ; 

State = struct S_FSM_UN INITIAL I ZED ? isS_FSM_UWIWITIALIZED | convertStateNamesToStateConstrDecl(collectStates($fsmClass+,)) ; 
Command = struct convertActionNamesToCmdConstrDecl (collect Commands ($f smClass+ , ) ) ; 

7,7, Convert the state names from the form 'statename' into 'S.statename ? isS_statename ' 
[convert St at eWamesToSortDecl-single] 

convertStateWamesToStateConstrDecl($mid) = toMcrlStateWame ($mid) ? toMcrlIsFunction(toMcrlStateName($mid)) 
[convert St at eWamesToSortDecl-multi] 

convertStateWamesToStateConstrDecl ($mid $mid+) = convertStateNamesToStateConstrDecl ($mid) | convertStateNamesToStateConstrDecl ($mid+) 



7,7, convert actions/ commands from J commandname ' into ' C_commandname ? isC_commandname ' 
[convert Act ionWamesToSortDecl-single] 

convertActionWamesToCmdConstrDecl($mid) = toMcrlCmdtJame($mid) ? toMcrlIsFunction(toMcrlCmdName($mid)) 
640 [convert Act ionWamesToSortDecl-multi] 

convert Act ionWamesToCmdConstrDecl ($mid $mid+) = convert Act ionNamesToCmdConstrDecl ($mid) | convertActionNamesToCmdConstrDecl($mid+) 

7.7. convert the class names from 'classname' into ' classname ? isclassname' 
[convertClassWamesToSortDecl-single] 
645 convertClassWamesToTypeConstrDecl($mid) = $mid ? toHcrlIsFunction($mid) 
[convertClassWamesToTypeSortDecl-multi] 
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665 



670 



680 



685 



690 



695 



700 



705 



convertClassNamesToTypeConstrDecl($mid $mid+) = convert ClassNamesToTypeConstrDecl ($mid) | convert ClassNamesToTypeConst rDecl ($mid+) 

'/,'/, Traversal functions to collect the classnames, action-names and statenames . 

[collect-class-definition] 

collectClassesCclass: $FWPART_$T0P$ $f smClassName $fsmState+, $mid*) = addToSet ($fsmClassName , $mid*) 
[collect-class-exprall] 

collectClasses($ALL$$fsmClassName, $mid*) = addToSet (concat ($f smClassName , _CLASS) , $mid*) 
[collect-class-exprany] 

collectClasses($ANY$$fsmClassName, $mid*) = addToSet (concat ($f smClassName , .CLASS), $mid*) 



660 [collect-command] 

collectCommandsfaction: $f smActionName $f smStatement+, $mid*) = addToSet ($f smActionWame , $mid*) 



[collect-state] 

collect St at es (state : $f smStateName $f smWhenClause+ $f smActionClause* , $mid*) = addToSet ($f smStateWame , $mid*) 
[collect-state-when] 

collectStates(when ( $fsmExpr ) move_to $f smStateName, $mid*) = addToSet($f smStateName, $mid*) 



[collect-state-statenamespec] 

$mid*l := collectStates ({ $f smStateNameSpecs* >, $mid*) 

collectStates( { $f smStateName , $f smStateNameSpecs*}, $mid*) = addToSet ($f smStateName, $mid*l) 



[collect-state-statenamespec-l-element] 
675 collectStates ( $f smStateName , $mid*) = addToSet($f smStateName, $mid*) 



'/,'/,%'/,'/,'/,'/,'/, Constructing a PType for an mcrl2 specification. 
[mcrl2GetPTypes-l] 

mcrl2GetPTypes($procSpec+) = 

PType = struct mcrl2PTypesFromProc Specs ($procSpec+) ; 

[mcrl2PTypesFromProcSpecs-one] 
mcrl2PTypesFromProcSpecs(proc $procDecl+) = 
mcrl2PTypesFromProcDecls($procDecl+) 

[mcr 12PType sFr omPr o cSpe c s -many] 

mcrl2PTypesFromProcSpecs(proc $procDecl+ $procSpec+) = 

mcrl2PTypesFromProcDecls($procDecl+) | mcrl2PTypesFromProcSpecs($procSpec+) 

[mcrl2PTypesFromProcDecls-one-l] 
mcrl2PTypesFromProcDecls($mid = $procExpr;) = 
convertClassNamesToTypeConstrDecl ($mid) 

[mcrl2PTypesFromProcDecls-many-l] 

mcrl2PTypesFromProcDecls($mid = $procExpr; $procDecl+) = 

convertClassNamesToTypeConstrDecl ($mid) | mcrl2PTypesFromProcDecls ($procDecl+) 

[mcrl2PTypesFromProcDecls-one-2] 

mcrl2PTypesFromProcDecls($mid ( $idsDecls ) = $procExpr;) = 
convertClassNamesToTypeConstrDecl ($mid) 

[mcrl2PTypesFromProcDecls-many-2] 

mcrl2PTypesFromProcDecls($mid ( $idsDecls ) = $procExpr; $procDecl+) = 

convertClassNamesToTypeConstrDecl ($mid) | mcrl2PTypesFromProcDecls ($procDecl+) 



[addToSet -empty] 
addToSet($mid,) = $mid 

[addToSet -multi same] 
710 addToSet ($mid,$mid $mid*) = $mid $mid* 

[addToSet-multidif f ] 
$mid != $midl 

addToSet($mid,$midl $mid*) = $midl addToSet($mid, $mid*) 



A.7 genericclauses.sdf 

1 module genericclauses 

imports basic/Comments 
imports merit 

5 

exports 

context-free syntax 

'/,'/, Insert the generic code that sends the commands to the children. 

insertGenericClauses (Mid) -> ProcExpr 
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hiddens 
variables 
15 "$f smClassName" -> Mid 



A.8 genericclauses.asf 

1 equations 

[insertGeneric] 

insertGenericClauses($f smClassName) = 

5 < 

7, BEGIN GENERIC CLAUSES (shared by all states) 

*/, Whenever we are not sending a command to the children, a child may 
% spontaneously change its state due to a hardware event and send its 
'/, state upward. Such state-change messages are called notifications. 
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% Notifications can occur in the following cases: 

y, (1) After initialization, while in the action phase: 

*/, (l.a) We have not received a command yet in this action phase. 

'/, (l.b) We are executing an action, or we finished executing an action but still have to send 

'/, some commands . 

*/, (2) During initialization . 

'/, Note that this implies that we never receive notifications during the 
% execution of the when phase (i) and we never receive notifcations 
'/, directly after we finish sending the last command after executing an 
'/, action (ii) . 

% The rationale behind this is as follows: 

'/, (i) The execution of the when clauses is a noninteractive process: the 
'/, system decides what the new state is, based only on *local* 

'/• (ii) After sending the last command, the model moves immediately into 
X the when phase. We should therefore not accept notifications at 

7, this point . 

7, (l.a) We have initialized and we have not yet received a command in this 
7, action phase. We now accept notifications. 

sum id:Id. (sum sl:State. (( (isActPhase (phase) ) kk (is_child(id, chs)) kk 
(pc(aArgs) == 0) kk (initialized(chs) ) ) -> 

rs(id, self, si) . 
move_phase(self , WhenPhase) . 

$f smClassName(self , parent, s, update_busy (id, false, update_state(id, si, chs)), WhenPhase, reset (aArgs) )) ) 

7« (l.b) We are in the middle of executing an action, or we finished 

7 t executing and still have to send some commands. We accept 

7. notifications, but we don't move to the when phase, since we still 

7 must execute one or more statements. 

sum id:Id.(sum si : State .{( (isActPhase (phase) ) kk (is_child(id, chs)) kk 
(Cpc(aArgs) > 0) I I 
((pc(aArgs) == -1) kk (cq(aArgs) != [])))) -> 
rs(id, self , si) . 
$f smClassNamefself , parent, s, 
update_busy (id, 

false, 

update_state(id, si, chs)), 
phase, aArgs))) + 



55 '/, Clause to send commands added by actions in the initialization phase. 

% Note that we keep track of the children which have not yet responded in 
7. the nrf list . 

((isActPhase (phase)) kk (cq(aArgs) != []) kk ( ! (initialized(chs) ) ) ) -> 
sc (self , id (head (cq (aArgs) ) ) , command (head (cq(aArgs) ) ) ) . 
60 $f smClassNamefself , parent, s, 

update_busy (id (head (cq( aArgs) ) ) , true , chs) , 
phase , 

actArgs (tail (cq( aArgs ) ) , 

(id(head(cq(aArgs)))) l>(nrf (aArgs)) , pc(aArgs), rsc(aArgs))) + 



7» Clause to send commands added by actions after the initialization phase. 

7> Note that we don't keep track of the children which have not yet 

7i responded. Recepients are only marked busy and not added to the nrf list. 



((isActPhase(phase)) kk (cq(aArgs) != []) kk initialized(chs) ) -> 
sc(self , id (head (cq (aArgs) ) ) , command (head (cq(aArgs) ) ) ) . 
$f smClassName (self , parent , s , 

update_busy (id (head (cq (aArgs) ) ) , true , chs) , 
phase , 

75 actArgs(tail(cq(aArgs) ) , [] , pc(aArgs), rsc(aArgs))) 
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% (2) Clause to receive the new states from the children during 
7> initialization. 

'/, Note that some children may spontaneously change state and send a 

'/, notification. This may cause us to receive more than one message from a 

'/, child while we wait for all children to respond. If a child sends two 

% state messages, we will only consider the last state when we process the 

7. when clauses . 

sum id:Id.(sum si : State. ( 

((isActPhase(phase)) kk (cq(aArgs) == [] ) kk (nrf(aArgs) != []) kk (is_child(id, chs)) kk 
(!(initialized(chs)))) -> 
rsfid, self, si) . 

((initialized(update_state(id,sl , chs) ) ) -> 
end_initialization(self ) . 

$f smClassWame (self , parent , s , update_state (id, si , chs) , phase , 

actArgs(cq(aArgs) , remove(id, nrf(aArgs)), -1, rsc(aArgs) 
)) <> 

$fsmClassWame(self , parent, s, update_state(id, si , chs) , phase, 

actArgs (cq(aArgs) , remove (id, nrf (aArgs) ) , -1 , rsc (aArgs) 
))))) + 

'/. Go to the when phase whenever all children are initialized, we executed 
7> an action and there are no pending messages. 

(CisActPhase (phase)) kk (cq(aArgs) == []) kk (initialized(chs)) kk (pc(aArgs) == -1)) -> 
move_phase (self , WhenPhase) . 

$f smClassNamefself , parent, s, chs, WhenPhase, reset (aArgs) ) 

7. END GENERIC CLAUSES 
) 
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class : $FWPART_$TOP$RPC_Wheel_CLASS 
! panel : CMS_RPCfwSupervisor/CHS_RPCfwSupervisorRPC_Wheel.pnl 
state : OFF ! color : FwStateOKNotPhysics 

when ( $ANY$FwCHILDREN in.state ERROR ) move.to ERROR 

when ( $ANY$FwCHILDREN in.state RAMPING ) move.to RAMPING 
when ( $ALL$FwCHILDREN in.state STANDBY ) move.to STANDBY 

when ( $ALL$FwCHILDREN in.state ON ) move.to ON 

when ( ( $ALL$FwCHILDREN not_in_state OFF ) and 
( $ANY$FwCHILDREN in.state STANDBY ) ) move.to STANDBY 
action: STANDBY Ivisible: 1 

do STANDBY $ALL$FwCHILDREN 
action: OFF Ivisible: 1 

do OFF $ALL$FwCHILDREN 
action: ON Ivisible: 1 

do ON $ALL$FwCHILDREN 
state: STANDBY ! color: FwStateOKNotPhysics 

when ( $ANY$FwCHILDREN in.state ERROR ) move.to ERROR 

when ( $ANY$FwCHILDREN in.state RAMPING ) move.to RAMPING 
when ( $ALL$FwCHILDREN in.state ON ) move.to ON 

when ( $ANY$FwCHILDREN in_state OFF ) move_to OFF 

action: ON Ivisible: 1 

do ON $ALL$FwCHILDREN 
action: OFF Ivisible: 1 

do OFF $ALL$FwCHILDREN 
action: STANDBY Ivisible: 1 

do STANDBY $ALL$FwCHILDREN 
state: ON I color: FwStateOKPhysics 

when ( $ANY$FwCHILDREN in.state ERROR ) move_to ERROR 

when ( $ANY$FwCHILDREN in.state RAMPING) move.to RAMPING 
when ( $ANY$FwCHILDREN in.state OFF ) move.to OFF 

when ( $ANY$FwCHILDREN in.state STANDBY ) move.to STANDBY 

action: STANDBY Ivisible: 1 

do STANDBY $ALL$FwCHILDREN 
action: OFF Ivisible: 1 

do OFF $ALL$FwCHILDREN 
action: ON I visible : 1 

do ON $ALL$FwCHILDREN 
state: ERROR I color: FwStateAttention3 

when ( ( $ANY$FwCHILDREN in.state RAMPING ) and 
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( $ALL$FwCHILDREN not_in_state ERROR ) ) move.to RAMPING 
50 when ( ( $ANY$FwCHILDREN in.state OFF ) and 

( $ALL$FwCHILDREN not_in_state ERROR ) ) move.to OFF 

when ( $ALL$FwCHILDREN in.state ON ) move.to ON 

55 when ( ( $ANY$FwCHILDREN in.state STANDBY ) and 

( $ALL$FwCHILDREN not_in_state ERROR ) ) move.to STANDBY 

action: ON ! visible : 1 
do ON $ALL$FwCHILDREN 
60 action: STANDBY Ivisible: 1 

do STANDBY $ A LL$Fw CHILDREN 
action: OFF Ivisible: 1 

do OFF $ALL$FwCHILDREN 
state: RAMPING ! color: FwStateAttentionl 
65 when ( $ANY$FwCHILDREN in.state ERROR ) move.to ERROR 

when ( $ALL$FwCHILDREN in.state ON ) move.to ON 
when ( $ALL$FwCHILDREN in.state STANDBY ) move.to STANDBY 
when ( ( $ALL$FwCHILDREN not_in_state RAMPING ) and 
( $ANY$FwCHILDREN in.state OFF ) ) move_to OFF 
70 when ( ( $ALL$FwCHILDREN not_in_state RAMPING ) and 

( $ANY$FwCHILDREN in.state STANDBY ) ) move.to STANDBY 
action: STANDBY Ivisible: 1 

do STANDBY $ALL$FwCHILDREN 
action: OFF Ivisible: 1 
75 do OFF $ALL$FwCHILDREN 

action: ON Ivisible: 1 
do ON $ALL$FwCHILDREN 
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sort 

Phase = struct WhenPhase TisWhenPhase I ActionPhase ?isActPhase; 

ActPhaseArgs = struct actArgs (cq: CommandQueue , nrf : IdList , pc : Int , rsc : Bool) ; 
Id = Nat; 

IdList = List (Id) ; 

Child = struct child(id:Id, state:State, ptype:PType, busy:Bool); 
Children = List(Child); 

ChildCommand = struct childcommand(id : Id, command : Command) ; 
CommandQueue = List (ChildCommand) ; 

PType = struct RPC_Wheel_CLASS ? isRPC.Wheel .CLASS; 

State = struct S_FSM_UNINITIALIZED ? isS_FSM_UNINITIALIZED | S_OFF ? isS.OFF | S.ERR0R ? isS_ERR0R I 

S.RAMPING ? isS.RAMPING | S.STANDBY ? isS.STANDBY I S_0N ? isS_0N; 
Command = struct C_ STANDBY ? isC_ STANDBY | C_DFF ? isC_DFF | C_0N ? isC_0N; 



rc,sc,cc: Id # Id # Command; 
rs.ss.cs: Id # Id # State; 
move.state: Id # State; 
move_phase: Id # Phase; 
ignored. command : Id # Command; 
queue_messages : Id; 
enter_then_clause : Id; 
enter_else_clause: Id; 
skip_then_clause : Id ; 
start_initialization: Id; 



in_state: Child # State -> Bool; 

in_any_of _states : Child # List(State) -> Bool; 

any_in_state : Children # List(State) -> Bool; 

all_in_state : Children # List (State) -> Bool; 

is_child: Id # Children -> Bool; 

f ilter_children: Children # PType -> Children; 

f ilter_children_accu: Children # PType # Children -> Children; 

send_command: Command # Children -> CommandQueue; 

update_state : Id # State # Children -> Children; 

update.busy: Id # Bool # Children -> Children; 

update_busy_all : Bool # Children -> Children; 

remove: Id # IdList -> IdList; 

initialized: Children -> Bool; 

children_to_ids : Children -> IdList; 

busy_children : Children -> Children; 

update_pc: ActPhaseArgs # Int -> ActPhaseArgs; 

reset: ActPhaseArgs -> ActPhaseArgs; 
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chs , chs_accu : Children; 

ch: Child; 

id,idl: Id; 

ids : IdList ; 

s,sl: State; 

si: List (State) ; 

t,tl: PType; 

cmd : Command ; 

b, bl, b2: Bool; 

pc , pel : Int ; 



in_state(child(id,s,t,b) ,sl) = s == si; 
in_any_of_states(ch, [] ) = false; 

in_any_of _states (ch, s I >sl) = in_state (ch, s) | | in_any_of _states (ch, si) ; 
any_in_state([] , si) = false; 

any_in_state(ch| > chs, si) = in_any_of_states(ch,sl) || any_in_state (chs , si) ; 
all_in_state([] , si) = true; 

all_in_state(ch|> chs, si) = in_any_of_states(ch,sl) kk all_in_state(chs,sl) ; 
is_child(id, [] ) = false; 

is_child(id, child(idl , s , t , b) l> chs) = id == idl || is_child(id, chs); 
filter_children(chs, t) = filter_children_accu(chs, t, [] ) ; 

f ilter_children_accu( [] ,t,chs_accu) = chs_accu; 
filter_children_accu(child(id,s,tl,b) l> chs, t, chs_accu) = 
if (t==tl, 

f ilter_children_accu(chs, t, child(id, s ,t ,b) | > chs.accu) , 
f ilter_children_accu(chs, t , chs_accu) ) ; 

send_command(cmd, [] ) = []; 
send_command(cmd, child ( id, s , t , b) I > chs) = 

childcommand(id.cmd) l> send_command(cmd,chs) ; 

update_state(id, s, [] ) = []; 

update_state(id, s, child(idl , si , t , b) l> chs) = 
if (id==idl, 

child(idl,s,t,b) l> chs, 

childfidl ,sl,t ,b) |> update_state(id,s,chs)) ; 
update_busy(id, b, []) = □; 

update_busy(id, b, childfidl , s , t , bl) |> chs) = 
if (id==idl, 

childfidl, s.t.b) l> chs, 

childfidl ,s,t ,bl) I > update_busy(id,b,chs)) ; 
update_busy_all(b, [] ) = [] ; 

update_busy_all(b, childfid, s , t ,bl) |> chs) = childf id, s , t , b) l> update_busy_all(b, chs); 

remove (id, [] ) = [] ; 
remove (id, idl | > ids) = 
if (id == idl, 
ids, 

idl |> removefid, ids)); 
initialized(chs) = !any_in_state(chs, [S_FSM_UNINITIALIZED] ) ; 
children_to_ids([]) = []; 

children_to_ids(child(id,s,t,b) l> chs) = id |> children_to_ids(chs) ; 
busy_children([]) = [] ; 

busy_children(child(id,s,t,true) l> chs) = child(id, s , t , true) l> busy_children(chs) ; 
busy_children (child (id, s ,t ,f alse) | > chs) = busy_ children (chs) ; 

update_pc(actArgs(cq, ids, pc, b) , pel) = actArgs(cq, ids, pel, b) ; 

reset (actArgs(cq, ids, pc, b)) = actArgs([], [] , 0, b) ; 

proc RPC_Wheel_CLASS(self : Id, parent: Id, s: State, chs: Children, phase: Phase, aArgs: ActPhaseArgs) 
( 

7. BEGIN STATE 

% 

7. BEGIN WHEN CLAUSES 

( 

7. BEGIN WHEN 

((isS_DFF(s)) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S_ERR0R] ) ) ) -> 
move_state(self , S _ ERROR ) . 
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(( 

7 BEGIN ACTION 

(((isS_OFF(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [] ) ) -> 
(( 

7, BEGIH STATEMEHT DD 
((pc(aArgs) == 2) -> 

queue .messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send_command(C_DFF , 

chs), [] , -1, rsc(aArgs))))) 

% END STATEMENT DO 
))) + 

'/, END ACTION 
(( 

7. BEGIN ACTION 

C((isS_DFF(s)) kk (isActPhase (phase)) kk (cq(aArgs) == [] ) ) -> 
(( 

7. BEGIN STATEMENT DO 
(Cpc(aArgs) == 3) -> 

queue_messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send_command(C_DN , 

chs), [] , -1, rsc(aArgs))))) 

7. END STATEMENT DO 
))) + 

7, END ACTION 

(delta)))))) 
)) 

7 END ACTION CLAUSES 

% 

7, END STATE 

7 = 

) + 

( 

7 == 

7, BEGIN STATE 

% 

7 BEGIN WHEN CLAUSES 
( 

7 BEGIN WHEN 

( (isS_STANDBY (s) ) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S_ERR0R] ) ) ) -> 
move_state(self , S .ERROR ) . 

RPC_Wheel_CLASS(self , parent, S_ERR0R, chs, phase, aArgs) <> 
7 END WHEN 

(( 

7 BEGIN WHEN 

( (isS_STANDBY (s) ) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S_RAMPING] ) ) ) -> 
move_state(self , S_RAMPING) . 

RPC_Wheel_CLASS(self , parent, S.RAMPING, chs, phase, aArgs) <> 
7 END WHEN 

(( 

7 BEGIN WHEN 

( (isS_STANDBY (s) ) kk (isWhenPhase(phase)) kk 

(all_in_state(chs, [S_0N] ) ) ) -> 
move_state(self , S_0N) . 

RPC_Wheel_CLASS(self , parent, S_0N, chs, phase, aArgs) <> 
7 END WHEN 

(( 

7 BEGIN WHEN 

( (isS_STANDBY (s) ) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S_0FF] ) ) ) -> 
move_state(self , S_DFF) . 

RPC_Wheel_CLASS(self , parent, S_0FF, chs, phase, aArgs) <> 
7 END WHEN 

(( 

7 BEGIN WHEN FALLTHROUGH 

( ( (isS_STANDBY (s) ) kk (isWhenPhase(phase))) -> 
ss (self , parent , s) . 
move_phase(self , ActionPhase) . 

RPC_Wheel_CLASS(self , parent, s, chs, ActionPhase, reset (aArgs) ) ) 

7 END WHEN FALLTHROUGH 

)) 

)) 

)) 

)) 

) + 

7 END WHEN CLAUSES 

7 
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((isS_0N(s)) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S.ERROR] ) ) ) -> 
move_state(self , S_ERRDR) . 

RPC_Wheel_CLASS(self , parent, S.ERROR, chs, phase, aArgs) <> 

'/, END WHEN 

(( 

'/, BEGIN WHEN 

((isS_0N(s)) kk (isWhenPhase(phase)) kk 

(any_in_state (chs , [S.RAMPING] ) ) ) -> 
move_state(self , S_RAMPING) . 

RPC_Wheel_CLASS(self , parent, S.RAMPING, chs, phase, aArgs) <> 

'/, END WHEN 

(( 

% BEGIN WHEN 

((isS_0N(s)) kk (isWhenPhase(phase)) kk 

(any_in_state(chs, [S_0FF]))) -> 
move_state(self , S_DFF) . 

RPC_Wheel_CLASS(self , parent, S_0FF, chs, phase, aArgs) <> 

1 END WHEN 

(( 

% BEGIN WHEN 

((isS_0N(s)) kk (isWhenPhase (phase)) kk 

(any_in_state (chs , [S.STANDBY] ) ) ) -> 
move_state(self , S_ STANDBY) . 

RPC_Wheel_CLASS(self , parent, S.STANDBY, chs, phase, aArgs) <> 

'/, END WHEN 

(( 

7, BEGIN WHEN FALLTHRDUGH 

(((isS_0N(s)) kk (isWhenPhase(phase))) -> 
ss (self , parent , s) . 
move_phase(self , ActionPhase) . 

RPC_Wheel_CLASS(self , parent, s, chs, ActionPhase, reset (aArgs) ) ) 

7, END WHEN FALLTHROUGH 

)) 

)) 

)) 

)) 

) + 

7, END WHEN CLAUSES 

1 



7, BEGIN ACTION CLAUSES 

7, BEGIN INITIALIZATION CHECK 

((isS_0N(s)) kk (isActPhase(phase)) kk ( ! (initialized(chs))) kk 
435 (pc(aArgs) == 0) kk (nrf(aArgs) == [])) -> 

st art .initialization (self) . 

RPC_Wheel_CLASS(self , parent, s, chs, phase, 

actArgs([], children_to_ids(chs) , 0, rsc(aArgs))) <> 
7, END INITIALIZATION CHECK 
440 7, BEGIN CLAUSE SELECTOR 

((initialized(chs)) -> 
( 

(((isS_0N(s)) kk (isActPhase(phase)) kk (cq(aArgs) == [] ) kk (pc(aArgs) == 0)) -> 
sum c : Command. ( 
445 rc (parent, self, c) . 

(isC_STANDBY(c) -> RPC_Wheel_CLASS (self , parent, s, chs, phase, update _pc (aArgs , 1)) <> ( 
(isC_0FF(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update.pc (aArgs , 2)) <> ( 
(isC_0N(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update _pc (aArgs , 3)) <> ( 
ss (self , parent , s) . 
ignored_command(self , c) . 
RPC_Wheel_CLASS(self , parent, s, chs, phase, update_pc(aArgs, -1)))))))) 
)) + 

% END CLAUSE SELECTOR 
( 

455 7, BEGIN ACTION 

(((isS_0N(s)) kk (isActPhase(phase)) kk (cq(aArgs) == [] ) ) -> 
(( 

7, BEGIN STATEMENT DO 
((pc(aArgs) == 1) -> 



queue_messages(self) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send_command(C_STANDBY , 

chs), [] , -1, rsc(aArgs))))) 

7, END STATEMENT DO 
))) + 

% END ACTION 

(( 

% BEGIN ACTION 

(((isS_0N(s)) kk (isActPhase (phase)) kk (cq(aArgs) == [] ) ) -> 
(( 

7 BEGIN STATEMENT DO 
((pc (aArgs) == 2) -> 

queue_messages (self ) . 
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(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send_command(C_OFF , 

chs), [] , -1, rsc(aArgs))))) 

% END STATEMENT DO 
))) + 

7, END ACTION 
(( 

% BEGIN ACTION 

(((isS_0N(s)) kk (isActPhase(phase)) kk (cq(aArgs) == [] ) ) -> 
CC 

7. BEGIN STATEMENT DO 
((pc (aArgs) == 3) -> 

queue .messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send_ command (C_0N , 

chs), [] , -1, rsc(aArgs))))) 

7. END STATEMENT DO 
))) + 

7. END ACTION 



(delta)))))) 
)) 

7. END ACTION CLAUSES 



7, END STATE 
'/. 

) + 

( 

V. 

7, BEGIN STATE 

• /t 

7. BEGIN WHEN CLAUSES 
( 

7. BEGIN WHEN 

((isS_ERRDR(s)) kk (isWhenPhase(phase) ) kk 

((any_in_state(chs, [S.RAMPING] ) ) kk ( ! (any_in_state (chs , [S.ERROR] ) ) ) ) ) 
move_state(self , S .RAMPING) . 

RPC_Wheel_CLASS(self , parent, S_RAMPING, chs, phase, aArgs) <> 

7, END WHEN 

(( 

7. BEGIN WHEN 

( (isS_ERRDR(s) ) kk (isWhenPhase (phase) ) kk 

((any_in_state(chs, [S_DFF] ) ) kk ( ! (any_in_state (chs , [S_ERR0R] ) ) ) ) ) -> 
move_state(self , S_0FF) . 

RPC_Wheel_CLASS(self , parent, S_DFF, chs, phase, aArgs) <> 

7, END WHEN 

(( 

7. BEGIN WHEN 

((isS_ERRDR(s)) kk (isWhenPhase (phase) ) kk 

(all_in_state(chs, [S_0N] ) ) ) -> 
move_state(self , S_0N) . 

RPC_Wheel_CLASS(self , parent, S_0N, chs, phase, aArgs) <> 

7, END WHEN 

(( 

7. BEGIN WHEN 

((isS_ERRDR(s)) kk (isWhenPhase (phase) ) kk 

( (any_in_state (chs , [S_ STANDBY] ) ) kk ( ! (any_in_ state (chs , [S.ERROR] ) ) ) ) ) 
move_state(self , S.STANDBY) . 

RPC_Wheel_CLASS(self , parent, S_ STANDBY, chs, phase, aArgs) <> 

7, END WHEN 

(( 

7, BEGIN WHEN FALLTHROUGH 

( ( (isS_ERRDR(s) ) kk (isWhenPhase (phase) ) ) -> 
ss (self , parent , s) . 
move_phase(self , ActionPhase) . 

RPC_Wheel_CLASS(self , parent, s, chs, ActionPhase, reset (aArgs) ) ) 

7, END WHEN FALLTHROUGH 

)) 

)) 

)) 

)) 

) + 

7, END WHEN CLAUSES 
7, 



% 

7. BEGIN ACTION CLAUSES 
7. BEGIN INITIALIZATION CHECK 
( (isS_ERRDR(s) ) kk (isActPhase(phase 
(pc (aArgs) == 0) kk (nrf (aArgs) == 
start_initialization(self ) . 



0) kk (! (initialized(chs))) kk 
□ )) -> 
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560 RPC_Wheel_CLASS(self , parent, s, chs, phase, 

actArgs([], children_to_ids(chs) , 0, rsc(aArgs))) <> 
7, END INITIALIZATION CHECK 
'/, BEGIN CLAUSE SELECTOR 
( (initialized (chs) ) -> 

565 < 

(((isS_ERROR(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [] ) kk (pc(aArgs) == 0)) -> 
sum c : Command . ( 

rc(parent, self, c) . 

(isC_0N(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update.pc (aArgs , 1)) <> ( 
570 (isC_STANDBY(c) -> RPC_Wheel_CLASS (self , parent, s, chs, phase, update.pc (aArgs , 2)) <> ( 

(isC_DFF(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update _pc (aArgs , 3)) <> ( 
ss (self , parent , s) . 
ignored_command(self , c) . 

RPC_Wheel_CLASS(self , parent, s, chs, phase, update_pc(aArgs, -1)))))))) 

575 )) . 

7, END CLAUSE SELECTOR 
( 

% BEGIN ACTION 

(((isS_ERROR(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [] ) ) -> 

580 (( 

7, BEGIN STATEMENT DO 
((pc(aArgs) == 1) -> 

queue_messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
585 actArgs (send_command(C_DN , 

chs), [] , -1, rsc(aArgs))))) 

7. END STATEMENT DO 
))) + 

7. END ACTION 

590 ( ( 

7. BEGIN ACTION 

(((isS_ERROR(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [] ) ) -> 
(( 

7. BEGIN STATEMENT DO 
595 ((pc(aArgs) == 2) -> 

queue_messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
actArgs (send.comm and (C.STANDBY, 

chs), [] , -1, rsc(aArgs))))) 

600 7, END STATEMENT DO 

))) + 

7, END ACTION 

(( 

7, BEGIN ACTION 

605 (((isS_ERROR(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [] ) ) -> 

(( 

% BEGIN STATEMENT DO 
((pc (aArgs) == 3) -> 

queue .messages (self ) . 

610 (RPC_Wheel_CLASS(self , parent, s, chs, phase, 

actArgs (send_command(C_DFF , 

chs), [] , -1, rsc(aArgs))))) 

7, END STATEMENT DO 
))) + 

615 7, END ACTION 

(delta)))))) 
)) 

7, END ACTION CLAUSES 

620 

'/„ END STATE 

y 

) ♦ 

625 ( 

•/, 

7, BEGIN STATE 

•/. 

630 7, BEGIN WHEN CLAUSES 

( 

7, BEGIN WHEN 

((isS_RAMPING(s)) kk (isWhenPhase(phase)) kk 
(any_in_state (chs , [S_ERR0R] ) ) ) -> 

635 move_state(self , S .ERROR ) . 

RPC_Wheel_CLASS(self , parent, S_ERR0R, chs, phase, aArgs) <> 
7, END WHEN 

(( 

7, BEGIN WHEN 

640 ((isS_RAMPING(s)) kk (isWhenPhase(phase)) kk 

(all_in_state(chs, [S_0N] ) ) ) -> 
move_state(self , S_0N) . 

RPC_Wheel_CLASS(self , parent, S_0N, chs, phase, aArgs) <> 
7, END WHEN 
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645 « 

X BEGIN WHEH 

((isS_RAMPING(s)) kk (isWhenPhase(phase)) kk 

(all_in_state (chs , [S.STANDBY] ) ) ) -> 
move_state(self , S_ STANDBY) . 
650 RPC_Wheel_CLASS(self , parent, S.STANDBY, chs, phase, aArgs) <> 

'/, END WHEN 
(( 

X BEGIN WHEN 

((isS_RAMPING(s)) kk (isWhenPhase(phase)) kk 
655 ((! (any_in_state(chs, [S.RAMPING] ) ) ) M (any_in_state(chs, [S_DFF] ) ) ) ) -> 

move_state(self , S_0FF) . 

RPC_Wheel_CLASS(self , parent, S_0FF, chs, phase, aArgs) <> 
7, END WHEN 

cc 

660 X BEGIN WHEN 

C(isS_RAMPING(s)) kk (isWhenPhase(phase)) kk 

((! (any_in_state(chs, [S.RAMPING] ) ) ) kk (any_in_state (chs , [S.STANDBY] ) ) ) ) -> 
move_state(self , S.STANDBY) . 

RPC_Wheel_CLASS(self , parent, S_ STANDBY, chs, phase, aArgs) <> 
665 7, END WHEN 

CC 

7. BEGIN WHEN FALL THROUGH 

(((isS_RAMPING(s)) kk CisWhenPhaseCphase))) -> 
ssCself, parent, s) . 
670 move_phaseCself , ActionPhase) . 

RPC_Wheel_CLASS(self , parent, s, chs, ActionPhase, reset (aArgs) ) ) 

% END WHEN FALLTHROUGH 

)) 

)) 

675 )) 

)) 
)) 
) + 

680 •/. END WHEN CLAUSES 

x 

% 

7, BEGIN ACTION CLAUSES 
685 7, BEGIN INITIALIZATION CHECK 

((isS_RAMPING(s)) kk CisActPhase (phase) ) kk ( ! (initialized(chs) ) ) kk 
(pc(aArgs) == 0) kk (nrf(aArgs) == [])) -> 
start_initialization(self ) . 

RPC_Wheel_CLASS(self , parent, s, chs, phase, 
690 actArgs([], children_to_ids Cchs) , 0, rsc (aArgs))) <> 

7, END INITIALIZATION CHECK 
7. BEGIN CLAUSE SELECTOR 
((initialized (chs)) -> 
C 

695 (((isS_RAMPING(s)) kk CisActPhase Cphase) ) kk (cq(aArgs) == []) kk (pcCaArgs) == 0)) -> 

sum c : Command. ( 

rc (parent, self, c) . 

(isC.STANDBY(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update_pc (aArgs , 1)) <> ( 
(isC_0FF(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update_pc (aArgs , 2)) <> ( 
700 (isC_0N(c) -> RPC_Wheel_CLASS(self , parent, s, chs, phase, update.pc (aArgs , 3)) <> ( 

ss(self, parent, s) . 
ignored_command(self , c) . 

RPC.Whe el .CLASS (self , parent, s, chs, phase, update_pc(aArgs, -1)))))))) 
)) + 

705 7, END CLAUSE SELECTOR 

( 

7. BEGIN ACTION 

(((isS_RAMPING(s)) kk (isActPhase (phase)) kk (cq(aArgs) == [])) -> 

710 cc 

7. BEGIN STATEMENT DO 
((pc (aArgs) == 1) -> 

queue .messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
715 actArgs(send_command(C_STANDBY, 

chs), [] , -1, rsc(aArgs))))) 

7, END STATEMENT DO 
))) + 

7. END ACTION 

720 

cc 

% BEGIN ACTION 

(CCisS.RAHPINGCs)) && CisActPhase Cphase) ) && (cq{aArgs) == [])) -> 
CC 

725 7. BEGIN STATEMENT DO 

((pc(aArgs) == 2) -> 

queue .messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
act Args (send_command(C_OFF , 
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730 



735 



740 



745 



7. END STATEMENT DO 
))) + 

7, END ACTION 



7. BEGIN ACTION 

C((isS_RAMPIWG(s)) kk (isActPhase (phase) ) kk (cq(aArgs) == [])) -> 
CC 

7. BEGIN STATEMENT DO 
((pc (aArgs) == 3) -> 

queue .messages (self ) . 

(RPC_Wheel_CLASS(self , parent, s, chs, phase, 
act Args (send_command(C_ON , 

chs), [] , -1, rsc(aArgs))))) 

7. END STATEMENT DO 
))) + 

7. END ACTION 



750 



(delta)))))) 
)) 

7. END ACTION CLAUSES 
% 



755 



7. END STATE 
7. 



760 



765 



770 



775 



780 



785 



790 



800 



805 



810 



c 

7, BEGIN GENERIC CLAUSES (shared by all states) 

sum id:Id.(sum si : State .{{ (isActPhase (phase) ) kk (is_child(id, chs)) kk 
(pc(aArgs) == 0) kk (initialized(chs) ) ) -> 

rs(id, self, si) . 
move_phase (self , WhenPhase) . 

RPC_Wheel_CLASS(self , parent, s, update_busy (id, false, update_state(id, si, chs)), WhenPhase, reset (aArgs) )) ) 

sum id:Id.(sum si : State .({ (isActPhase (phase) ) kk (is_child(id, chs)) kk 
((pc (aArgs) > 0) I I 
(Cpc(aArgs) == -1) kk (cq(aArgs) != [])))) -> 
rs(id, self, si) . 
RPC_Wheel_CLASS(self , parent, s, 
update_busy (id, 

false, 

update_state (id, si , chs) ) , 
phase , aArgs ) ) ) + 

((isActPhase (phase)) kk (cq(aArgs) != []) kk ( ! (initialized (chs) ) ) ) -> 
sc(self , id (head (cq (aArgs) ) ) , command (head (cq(aArgs) ) ) ) . 
RPC_Wheel_CLASS(self , parent, s, 

update_busy (id (head (cq( aArgs) ) ) , true , chs) , 

actArgs(tail(cq(aArgs)) , 

(id(head(cq(aArgs))))|>(nrf(aArgs)), pc(aArgs), rsc(aArgs))) + 

((isActPhase (phase)) kk (cq(aArgs) != [] ) kk initialized(chs) ) -> 
sc (self , id(head(cq(aArgs) ) ) , command(head(cq(aArgs) ) ) ) . 
RPC_Wheel_CLASS(self , parent, s, 

update_busy( id (head (cq (aArgs) ) ) , true , chs) , 

actArgs(tail(cq(aArgs)) , [] , pc(aArgs), rsc(aArgs))) + 



sum id:Id.(sum sl:State.( 

((isActPhase(phase)) kk (cq(aArgs) == [] ) kk (nrf(aArgs) != []) kk (is_child(id, chs)) kk 
(! (initialized(chs)))) -> 
rs(id, self, si). 

795 ({initialized(update_state(id,sl ,chs) ) ) -> 

end_initialization(self ) . 

RPC_Wheel_CLASS(self , parent, s, update_state (id, si , chs) , phase, 

act Args (cq (aArgs) , remove(id, nrf(aArgs)), -1, rsc(aArgs) 
)) <> 



RPC_Wheel_CLASS(self , parent, s, update.state (id , si , chs) , phase, 

act Args (cq (aArgs) , remove(id, nrf(aArgs)), -1, rsc(aArgs) 
))))) + 

((isActPhase(phase)) kk (cq(aArgs) == [] ) kk (initialized(chs) ) kk (pc(aArgs) == -1)) -> 
move_phase(self , WhenPhase). 

RPC_Wheel_CLASS(self , parent, s, chs, WhenPhase, reset (aArgs) ) 

% END GENERIC CLAUSES 
); 

init 

allow ({cs , cc, raove_state , move_phase , ignored_command, 

queue _mes sages , enter_then_clause , enter_else_clause, 
skip_then_clause , start _initializat ion, end_initialization , 
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815 noop_statement} , 

comm(-trs | ss -> cs, rc|sc -> cc>, 
RPC_Wheel_CLASS(l, 1, S_OFF, [] , 

ActionPhase,actArgs( [] , [] , 
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